Data & Privacy - Germany

The directly applicable EU GDPR is the core framework, supplemented by the national BDSG which exercises the GDPR's opening clauses; both took effect on 25 May 2018. The BDSG specifies and adds detail in areas such as employee data, video surveillance and scoring.

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), seated in Bonn, is the independent federal authority supervising federal public bodies plus telecommunications and postal service providers; it also serves as Freedom of Information Commissioner.

Germany's enforcement architecture is the most complex in the EU: alongside the BfDI, private-sector supervision is handled by 17 independent state (Land) data-protection authorities. The Data Protection Conference (DSK) coordinates common standards among them.

The Telecommunications-Digital Services Data Protection Act (TDDDG) — renamed from the TTDSG on 14 May 2024 to align with the EU Digital Services Act — transposes the ePrivacy Directive, governing cookies, terminal-device access and consent for telecoms and online services.

Under the GDPR/BDSG, controllers must have a lawful basis, observe transparency and data-minimization, conduct DPIAs and report breaches; individuals hold rights of access, rectification, erasure, portability and objection. Many German organizations must appoint a data protection officer (DPO).

The CDU/CSU-SPD coalition agreement (April 2025) proposes centralizing private-sector supervision under a renamed BfDI and anchoring the DSK in the BDSG to reduce bureaucracy and harmonize GDPR enforcement; the current decentralized regime remains in force pending legislation.