Data & Privacy · Germany
Data protection & privacy laws in Germany (2026)
Germany shaded by its data & privacy status
Germany has a comprehensive data-protection regime built on the directly applicable EU GDPR, supplemented by the national Federal Data Protection Act (BDSG), both in force since 25 May 2018. Enforcement is uniquely decentralized: the federal BfDI supervises federal bodies, telecoms and postal providers, while 17 independent state (Land) authorities supervise the private sector. A 2025 coalition agreement proposes centralizing private-sector supervision under the BfDI, but this reform is not yet enacted.
Key points
The directly applicable EU GDPR is the core framework, supplemented by the national BDSG which exercises the GDPR's opening clauses; both took effect on 25 May 2018. The BDSG specifies and adds detail in areas such as employee data, video surveillance and scoring.
The Federal Commissioner for Data Protection and Freedom of Information (BfDI), seated in Bonn, is the independent federal authority supervising federal public bodies plus telecommunications and postal service providers; it also serves as Freedom of Information Commissioner.
Germany's enforcement architecture is the most complex in the EU: alongside the BfDI, private-sector supervision is handled by 17 independent state (Land) data-protection authorities. The Data Protection Conference (DSK) coordinates common standards among them.
The Telecommunications-Digital Services Data Protection Act (TDDDG) — renamed from the TTDSG on 14 May 2024 to align with the EU Digital Services Act — transposes the ePrivacy Directive, governing cookies, terminal-device access and consent for telecoms and online services.
Under the GDPR/BDSG, controllers must have a lawful basis, observe transparency and data-minimization, conduct DPIAs and report breaches; individuals hold rights of access, rectification, erasure, portability and objection. Many German organizations must appoint a data protection officer (DPO).
The CDU/CSU-SPD coalition agreement (April 2025) proposes centralizing private-sector supervision under a renamed BfDI and anchoring the DSK in the BDSG to reduce bureaucracy and harmonize GDPR enforcement; the current decentralized regime remains in force pending legislation.
Timeline - major decisions & events
Germany's Federal Data Protection Commissioner imposed two fines (€15M for inadequate oversight of partner agencies under Art. 28 GDPR, €30M for weak hotline/portal authentication) — among the largest German GDPR penalties to date.
BfDI ↗The EU Court of Justice upheld the German Federal Cartel Office's power to assess GDPR compliance in abuse-of-dominance cases and curtailed Meta's legal bases for combining and processing user data without freely given consent.
Bundeskartellamt / CJEU ↗Germany's new cookie law transposed the ePrivacy Directive, requiring GDPR-grade consent (§25) for storing/accessing information on user devices, resolving years of legal uncertainty over cookie consent.
gesetze-im-internet.de (Federal Ministry of Justice) ↗The Hamburg Commissioner penalized H&M for systematically recording employees' private lives (illnesses, family problems, beliefs) at a service centre — then a record GDPR fine in Germany.
EDPB / Hamburg DPA ↗The Federal Cartel Office barred Facebook from merging user data across Facebook, Instagram, WhatsApp and third-party sources without voluntary consent — the landmark case linking competition law and data protection that later reached the CJEU.
Bundeskartellamt ↗Germany's overhauled BDSG (via the DSAnpUG-EU adaptation act) entered into force the same day as the EU GDPR, using its opening clauses to tailor rules on employment data, video surveillance and supervisory authorities at national level.
gesetze-im-internet.de (Federal Ministry of Justice) ↗The BDSG was amended and republished (the version in force until 2018) to transpose the EU Data Protection Directive, harmonizing German rules with the emerging European framework.
Bundesdatenschutzgesetz overview ↗In the Volkszählungsurteil the Bundesverfassungsgericht struck down parts of the Census Act and recognized a constitutional 'right to informational self-determination' — the cornerstone of German and European data-protection law.
Bundesverfassungsgericht ↗The Bundestag passed Germany's first national data-protection statute (in force 1 January 1978), regulating processing of personal data by public and private bodies and creating a federal commissioner.
BvD (Federal Association of Data Protection Officers) ↗The German state of Hesse passed the Hessian Data Protection Act, the first statutory data-protection law anywhere, pioneering the legal concept of regulating automated personal-data processing.
History of Data Protection (G. González Fuster) ↗Germany - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →