The 25th of May 2018 marked an epic milestone for data protection in Germany. It pulled double duty, launching a new era in global data privacy with Europe's General Data Protection Regulation (GDPR) but also bringing into full effect the new German Privacy Act (Bundesdatenschutzgesetz), also known as BDSG-new.
The BDSG-new takes the GDPR up a gear, thanks to the 70+ opening clauses allowing EU member states — per German Bundestag (The German Parliament) to modify, clarify, and complement the GDPR while building on its key tenets.
But to what extent are the rights of data subjects recognized according to the BDSG-new, and how can data subjects enforce their data privacy rights? Which organizations must comply? And the elephant in the room: how not to run afoul of German data protection laws? In this post, we answer all these and then some.
February 2024 update: Following recent communication from the Higher Regional Court of Cologne, we have reasons to think that, moving forward, including a "Reject all" button in consent banners will be required in Germany. While this can still be subject to interpretations, we encourage organizations to watch this space in the coming months.
- Frequently Asked Questions (FAQ)
Relevant data privacy laws in Germany
Data protection law in Germany is captured by three pieces of legislation:
The General Data Protection Regulation
In 2018, the GDPR was adopted by the European Union (EU), with far-reaching implications for German data protection laws.
The GDPR replaced the Data Protection Directive 95/46/EC (DPD), setting out more stringent requirements for data controllers and processors, including the requirement for explicit consent for data collection, the right to be forgotten, and enforcement requirements.
The New Federal Data Protection Act (The BDSG-new)
The BDSG-new (Click here for the English translation of the BDSG) is called as such because it replaced the former BDSG on 25th May 2018. It was designed to bring the German privacy law on par with the GDPR and the EU-Privacy Directive for Policy and Justice (EU-Directive 2016/680).
It ensures the protection of personal data, whether processed by advanced technology (think automated means like computer-based processing) or more traditional methods. (non-automated means like paper records and manual processing).
In any case, as outlined in Sec (1) of the BDSG-new, the BDSG-new covers any personal data intended to be part of a filing system.
In addition to the BDSG, there are various sector-specific data protection regulations, such as those governing financial and energy industries.
On December 1, 2021, the Telecommunications-Telemedia-Data Protection Act (Telekommunikation Telemedien Datenschutzgesetz — TTDSG) was introduced and set to be enforced in 2023.
This law provides clear data protection regulations for electronic communications and Telemedia providers, resolving previous ambiguities regarding the application of the German Telecommunications Act (Telekommunikationsgesetz - TKG) and the German Telemedia Act (Telemediengesetz - TMG) in light of the General Data Protection Regulation (GDPR), which is considered more superior legislation.
History of data privacy in Germany
Germany has a rich backdrop of data protection laws evolving to keep pace with technological changes and how personal data is collected, used, and shared.
It all dates back to the post-World War II era, with the federal state of Hesse passing the first national data protection law worldwide. It further proposed a bill for a Federal Data Protection Act in 1971, which was finally passed into law as the Federal Data Protection Act (Bundesdatenschutzgesetz — BDSG) on the 1st of January, 1978.
This law established the principles of data protection and set out the rights and responsibilities of data controllers and processors. It also created the Federal Commissioner for Data Protection, responsible for enforcing the law.
Much has changed since, as in the 1990s, landmark cases like the Volkszählungsurteil of December 15, 1983 — A German consensus verdict of the constitutional courts that established self-determination of information; in simple terms, the principle that individuals have the power to decide when and to what extent personal information is published — strengthened its data protection laws in response to the increased use of technology and the internet.
Today, running concurrently with the GDPR, which was rolled out on the 25th of May 2018, is the new German Federal Data Protection Act (BDSG-new) replacing the former BDSG, which applies locally.
Scope of application for Germany's data protection laws
As a preliminary issue, many firms believe the mere accessibility of their website in the EU is enough to subject them to GDPR. What actually binds companies with an online presence in the EU region to the GDPR or German Laws would be processing or controlling the personal data of data subjects with a clear intention to offer goods or services or monitor behavior.
“Processing” in this context is not limited to advanced technology (think computer-based processing). It also extends to more traditional means (think manual processing and paper records). In fact, it covers any personal data designed to be part of a filing system (as seen in Section 1 of the BDSG-new).
While the BDSG-new applies to public bodies, such as public authorities, it also goes a step further to cover private bodies, such as natural and legal persons and other types of private companies. While the regulations for public bodies are thorough and all-encompassing, the BDSG-new also includes specialized rules for private companies, making it a must-have for all organizations.
In Germany, the BDSG applies to non-public bodies if:
The processing of personal data takes place in Germany,
Such data processing activities are traceable to the German branch of an international organization being a controller or processor,
Such a controller or processor doesn't have an establishment in the EEA (European Economic Area countries: Norway, Lichtenstein, and Iceland), but the processing falls within the scope of the GDPR.
So whether you're a business within or outside the EU, it's important to stay compliant with these laws to protect the personal data of EU residents.
BDSG-new & Europe's General Data Protection Regulation (GDPR)
Generally speaking, the BDSG-new does not apply to matters where the European GDPR is already in effect since the GDPR supersedes it. As such, European Union countries are not allowed to create their own data protection laws on certain matters if the GDPR already covers them.
However, in instances where the GDPR allows for exceptions (as seen in the 70+ opening clauses that allow EU member states to derogate, specify, or make additional requirements), then laws from the BDSG-new would take precedence over the laws from the GDPR.
Data protection enforcement and fines in Germany
Data protection and privacy laws are no longer mere persuasions — they’re now packing some teeth. Whether through fines or orders to change business practices, enforcement actions are compelling global businesses to stay compliant.
It’s no different in Germany, as state data protection agencies enforce data privacy compliance for state-based organizations and non-public corporations.
In states with Freedom of Information acts, Data Protection Agencies and DPAs also regulate business data protection. They are to mete out penalties in proportion to how grave the violation is. But to do this, German DPAs deploy the Bußgeldmodell model to analyze the company's yearly turnover and level of personal data breaches.
Hence, according to (Article 83(5)) heavily non-compliant businesses face hefty fines — of a higher class — of up to €20 million or 4% of global annual turnover, whichever is higher in cases of :
Breach of basic principles for data processing (including conditions for seeking consent).
The rights of data subjects.
Restrictions on international transfers.
Special cases such as employee data processing obligations under Member State law.
Supervisory authority orders.
A case in point was H&M, fined €35 million for illegal employee surveillance at a service center in Nürnberg.
On the other hand, (Article 83(4)) establishes a lower category of fines relating to:
Obligations of controllers and processors relating to security and breach notifications
The BDSG requires data controllers to implement technical measures to prevent personal data breaches, and to report any breaches to supervisory authorities within 72 hours, failing which a fine of up to €10 million for non-compliance is imposed.
Key components of Germany's BDSD-new
The BDSG-new provides unique requirements from the GDPR for private companies, and we’ve outlined a few of the most relevant provisions below:
Designating a data protection officer
Unlike the GDPR which lays the responsibility of data protection at the feet of data subjects, the BDSG-new mandates the appointment of data protection officers to protect sensitive personal data.
As per Sec. 38 of BDSG-new, if your organization processes personal data with the involvement of at least twenty (20) individuals, either fully or partially by automated means, then it's time to appoint a data protection officer.
Data processing in the employment context
The BDSG-new comes with an added layer of protection for data subjects when it comes to processing personal data in the employment context.
According to Sec. 26 BDSG-new, the personal data of employees can be processed for employment-related purposes like entering, performing, and terminating employment or for carrying out a collective agreement.
Suppose there's enough evidence to suspect an employee of committing a crime during their employment. In that case, personal data can also be processed to investigate it - as long as the processing is necessary and not unreasonable. Sec. 26 BDSG-new also covers rules on valid employee consent and special categories of personal data in the employment context.
Scoring and credit checks
As per Sec. 31 BDSG, scoring and credit checks come with certain conditions attached. Companies can only use relevant data to ensure data protection, and the score must be based on reliable mathematical-statistical methods. A score based solely on address data is a big no-no, and if address data is used, the data subject must be informed beforehand.
DPAs (Data Protection Authorities)
Germany has about 17 different Data Protection Authorities (DPAs). One of them applies federally with jurisdiction over postal companies and telecommunication organizations. The other 16 preside over private organizations operating in their jurisdiction
And with that many DPAs, ensuring compliance can be tricky. Fortunately, BDSG-new has implemented a “one-stop” mechanism for companies with offices in multiple states – making it easier to keep up with the rules and regulations of each DPA.
The main DPA will be determined by the state where your company is mainly established; while its investigation powers are limited to professions with confidentiality obligations — like doctors, lawyers, and psychologists.
Altering the original purpose of data collection
In the face of national defense, public safety, or criminal prosecution matters, data collection may be altered to prosecute criminal offenses and support civil proceedings.
However, before any changes are made by the controller, they must prove that such an alteration is a weightier consideration than the duty to protect the interests of data subjects.
Criminal Law Provisions
According to Sec. 42 BDSG-new, some data protection infringements are considered criminal offenses, punishable with up to three years in jail or a fine.
For instance, transferring personal data illegally to third parties, making personal data accessible on a large scale for commercial purposes, or obtaining personal data through fraud for enrichment or to harm others are all criminal offenses.
Restriction on some individual rights
Data protection advocates have raised the alarm about how far-reaching the initial draft of BDSG-new was when it came to curtailing individual rights granted by GDPR. Thankfully, the final version has taken a more moderate stance on these restrictions, such as:
Not requiring notification if sensitive personal data is exposed and
Limiting right to access personal data where storage being used only serves the purpose of meeting regulatory retention requirements.
Restricting the right the erasure if it would be impossible or costly for organizations - or in cases where an individual's interest in erasure is minimal.
Cookie compliance in Germany
In December 2021, by virtue of Sec 25 TTDSG, Germany finally transposed Article 5 (3) of the ePrivacy Directive, requiring cookie consent while also setting out the definition of consent within the context of the GDPR.
The requirements for consent are nonetheless based on the GDPR: In line with the ePrivacy directive, and according to Section 25 (2) TTDSG, cookie consent is not required if the purpose of such a cookie is:
To transmit communication over a public telecommunication network;
To provide Telemedia services at the data subject's request.
However, the German DPAs have long been of the opinion that personal data captured with cookies for analytical and tracking purposes — especially when they allow third parties to collect personal data from data subjects as joint controllers — require consent.
As such, consent by scrolling, consent by continued browsing, and other forms of granular consent are outlawed in Germany. The data subject's consent should be obtained through clear and affirmative action.
How to comply with Germany's data protection laws
Amid the ever-evolving legal landscape, complying with German Data protection regulations might seem a tall order. And for companies, it can sometimes feel like the DPA is a grim reaper that hand-picks who gets sanctioned and who gets spared. But luckily, it’s not that out of control.
Companies should take stock of all cookies and technologies they use to store info on users' devices or access info stored on end devices and make sure their use is lawful. They should ask themselves if they really need to use certain cookies or tracking technologies, as per section 25 (2) of the TTDSG.
If not, consent must be obtained in line with the GDPR before storing or reading personal data from the terminal device.
Cover your legal bases with Didomi
Companies (located in and out of Germany) processing data of German data subjects are fast leaning on consent management platforms (CMPs) to be on the right side of compliance law. It’s a smart way for companies to show authorities that they have the technological infrastructure to capture and store data about users’ cookie consent.
And beyond GDPR compliance, there are plenty of rewards to reap from respecting users’ privacy; Didomi CMP helps you display cookie consent notice using a customizable banner format or user-friendly pop-up message, boosting your chances of a high consent rate.
This data garnered from users that willingly consented can better inform your marketing strategy for improved results. The world of benefits on offer makes the Didomi Consent Management Platform (CMP) your ultimate privacy partner, as it already is to 160,000+ websites and apps globally.
Contact our experts to tee you up for implementing cookie consent collection to achieve compliance and sustainable business success:
Frequently Asked Questions (FAQ)
How does BDSG-new expand upon the GDPR?
BDSG-new expands on the GDPR through over 70 opening clauses allowing modifications, clarifications, and additional stipulations per the German Bundestag (Parliament).
It addresses more stringent data protection requirements, covering both automated and manual data processing, and introduces specialized rules for private companies alongside public bodies.
What are the notable components of BDSG-new?
Key components of BDSG-new include the designation of data protection officers (DPO) for certain organizations, additional protections in employment-related data processing, and conditions for scoring and credit checks.
It also provides criminal offenses for certain data protection infringements and introduces a "one-stop" mechanism for compliance across multiple states in Germany.
How are data protection laws enforced and what fines are imposed for non-compliance in Germany?
Data protection laws are enforced by state data protection agencies and Data Protection Authorities (DPAs). Fines can be hefty, with serious non-compliance resulting in fines of up to €20 million or 4% of global annual turnover.
How does cookie compliance works in Germany?
As of December 2021, Germany requires cookie consent per the transposition of the ePrivacy Directive into national law via Section 25 TTDSG. Consent for cookies, especially those used for analytical and tracking purposes, must be obtained through clear and affirmative action, ruling out implied consent methods like scrolling or continued browsing.