European Union · updated 2026-06-15
Germany
Germany applies GDPR with stricter national add-ons: a DPO is mandatory from just 20 employees handling personal data, and 17 separate regulators enforce actively. Assume the strictest reading of every rule applies here.
- Law:
- GDPR + BDSG (Federal Data Protection Act) + TDDDG
Cookie consent
Opt-in required
Breach deadline
72 hours
DPA with vendors
Required
Max fine
€20,000,000 or 4% of global annual revenue, whichever is higher
What Germany requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Privacy policy (Datenschutzerklärung)
Art. 13–14 GDPREvery website and app needs a German-language privacy notice listing controller identity, purposes, legal bases, recipients, retention periods, and data subject rights.
How to implement Link it from every page footer as 'Datenschutz'. German courts treat a missing or English-only notice as an actionable violation, and competitors can send costly cease-and-desist letters (Abmahnungen).
Required -
Imprint (Impressum)
§5 DDGA German legal quirk beyond GDPR: commercial websites reachable from Germany need an imprint naming the operator, address, contact email, and registration details.
How to implement Add an /impressum page linked from the footer. Missing imprints are the single most common trigger for cease-and-desist letters against foreign SaaS companies.
Required -
Cookie consent banner
§25 TDDDGPrior opt-in consent before setting any non-essential cookie, pixel, or localStorage entry. Consent must be granular, freely given, and as easy to refuse as to give.
How to implement Deploy a consent management platform that blocks tags until consent. Do not load Google Analytics, Meta Pixel, or YouTube embeds before opt-in — German DPAs actively scan for this.
Required -
Records of processing (ROPA)
Art. 30 GDPRA written register of all processing activities: purposes, categories, recipients, transfers, retention, and security measures. The small-business exemption rarely applies in practice.
How to implement Maintain a spreadsheet or use a compliance suite. This is the first document a German DPA requests during an audit — keep it current and in German or English.
Required -
Data protection officer
§38 BDSGMandatory once 20+ people regularly process personal data by automated means, or whenever processing requires a data protection impact assessment.
How to implement Appoint an internal or external DPO, publish their contact details in your privacy policy, and register them with your state DPA. External DPO services start around €200/month.
Conditional -
Breach notification process
Art. 33–34 GDPRDocument every breach internally; report qualifying breaches to the competent state DPA within 72 hours.
How to implement Write a one-page incident runbook: who decides, which state DPA portal to use, what the 72-hour clock starts on. Each Bundesland has its own online reporting form.
Required
The details
- Cookie consent
- §25 TDDDG requires prior opt-in consent for any non-essential cookies or device storage. German courts have rejected pre-ticked boxes and nudging dark patterns; a reject option must be as easy as accept.
- Data Protection Officer
- Stricter than baseline GDPR: §38 BDSG mandates a DPO once 20+ people are regularly involved in automated processing of personal data — a threshold most software companies cross quickly.
- Processing agreements
- Art. 28 GDPR data processing agreements are required with every processor (hosting, analytics, email). German DPAs audit these in practice, including the technical and organisational measures annex.
- Breach notification
- Notify the competent state DPA within 72 hours of becoming aware (Art. 33 GDPR). Affected individuals must be told without undue delay when the breach poses a high risk (Art. 34).
- Enforcement in practice
- H&M was fined €35.3M in 2020 by the Hamburg DPA for covertly profiling employees' private lives — a reminder that internal HR data counts too.
Data subject rights
What users can demand from you in Germany, and the engineering that satisfies each right.
Right to access
Art. 15 GDPRUsers can request a copy of all personal data you hold about them, plus processing details.
Respond within one month. German courts (BGH 2021) read Art. 15 broadly — include internal notes and correspondence about the person, not just profile fields.
Right to erasure
Art. 17 GDPRUsers can demand deletion when data is no longer needed or consent is withdrawn.
Build a delete flow covering production data, backups (document your backup expiry), and processors. German tax law requires keeping invoices 10 years — document that exemption instead of deleting.
Right to data portability
Art. 20 GDPRUsers can take data they provided in a structured, commonly used, machine-readable format.
A JSON or CSV export endpoint covering user-provided data satisfies this. Only applies to processing based on consent or contract.
Right to rectification
Art. 16 GDPRUsers can correct inaccurate personal data without undue delay.
Editable profile fields cover most cases; add a support channel for data the user cannot edit directly.
Right to restrict processing & to object
Art. 18, 21 GDPRUsers can freeze processing during disputes and object to processing based on legitimate interests — including an absolute right to object to direct marketing.
Honour marketing objections immediately with a suppression list. German UWG rules additionally require double opt-in for marketing email, so keep consent logs.
Automated decision-making
Art. 22 GDPRUsers cannot be subject to solely automated decisions with legal or similarly significant effects without safeguards.
The SCHUFA ruling (CJEU 2023, a German referral) held credit scoring itself can be a covered decision. If you score or auto-reject users, add human review and disclose the logic.
Tools that cover Germany
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
cookie consent
Usercentrics
German-built consent management platform, the de-facto standard for TDDDG-compliant banners.
Visit Usercentrics → -
privacy policy
iubenda
Generates German-language privacy policies and imprint pages kept in sync with BDSG changes.
Visit iubenda → -
dpa template
Termly
DPA templates and a policy generator suitable for small teams selling into Germany.
Visit Termly →
Frequently asked questions
Do I need a German Impressum if my company is outside Germany?
If you offer commercial services aimed at the German market, yes. The imprint duty in §5 DDG applies based on where the service is directed, not where the company sits. It is a one-page fix that removes the most common cease-and-desist risk.
Can I use Google Analytics in Germany?
Only behind prior opt-in consent and with IP anonymisation, EU data residency settings, and a DPA with Google in place. German DPAs have repeatedly found default GA setups unlawful, so many German companies switched to EU-hosted alternatives.
At what size do I need a Data Protection Officer in Germany?
From 20 people regularly handling personal data by automated means — far lower than the GDPR baseline. A 25-person SaaS company almost certainly needs one. External DPO services are the usual answer for startups.
Which regulator will actually enforce against my company?
The DPA of the German state (Bundesland) where your establishment sits — or for foreign companies, any state DPA where affected users live. Bavaria, Hamburg, and Berlin run the most active audit programmes.
Similar jurisdictions
Free download
Get GDPR updates for Germany
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.