Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Germany Federal Data Protection Act

Published January 25, 2022
Author

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

The European Union (EU) passed the General Data Protection Bill (GDPR) in 2016, which came into effect in May 2018. Based on the EU Charter for Fundamental Rights, it ensured all EU residents' personal data and information would remain safe online. Regarded as one of the most comprehensive pieces of legislation, it set the bar for all data protection laws that have followed across the world.

Interestingly, there were provisions in the GDPR that allowed each EU member country to make slight adjustments to their own national interpretation and implementation of the law. Germany's interpretation is the Bundesdatenschutzgesetz (BDSG), the German Federal Data Protection Act. It mirrors the GDPR in all key areas while giving local German regulatory authorities the power to enforce it more efficiently on the national level.

One aspect of GDPR that is open to differences is the age of consent to differentiate between adult and child data subjects. Germany has set the age of consent with regard to data protection at 16 years old.

Understanding the law and its basics can help companies remain compliant with the law's provisions while also gaining a competitive advantage over their competitors within Germany.

Who Needs to Comply with the Law

Germany's interpretation of the GDPR, the Federal Data Protection Act, applies to all personal and sensitive data that the data handler in Germany may have collected. This can include:

  • Name
  • Voice
  • Picture
  • Identification number
  • Race
  • Ethnicity
  • Religion
  • Sexual preference
  • Biometric data
  • Criminal record
  • Health records
  • Geographical location

As far as jurisdiction is concerned, the Federal Data Protection Act applies to:

  • Any data handler located in Germany collecting data on users
  • Any data handler located outside Germany but offering goods or services to data subjects within Germany
  • Any data handler located outside Germany monitoring the digital behavior of users in Germany

Obligations for Organizations Under the Federal Data Protection Act

As per Germany's data protection law, there are certain obligations that all data handlers or organisations have towards their users. These include the following:

Lawful Basis Requirements

The law explicitly states that the data handler can only collect data under the following conditions:

  • Processing data is necessary to carry out a legal, financial obligation;
  • Processing data is necessary for reasons of public interest in the area of public health;
  • Processing data is necessary for the purposes of preventative medicine;
  • Processing data is necessary for reasons of public interest.

As per Germany's Federal Data Protection Act, all data handlers that need to process data subjects' data can only proceed to do so after having acquired the necessary consent.

All data subjects must be informed of what data will be collected, how it will be collected, and for how long. Additionally, if any sensitive personal data is to be collected, the data subject must be informed of this separately.

Privacy Policy Requirements

The law mandates all data handlers processing data of EU residents to ensure the adherence to the following requirements in their privacy policies:

  • Proper contact details of the data handler or the data handler's German representative if the data handler is not based inside Germany.
  • Proper contact details of the data handler's Data Protection Officer.
  • Legal reasons behind the need to process the data subjects' data.
  • How are the data subjects' data stored, processed, protected, and for how long?
  • How the data subjects can withdraw consent.
  • All of the data subjects' rights such as the right to access, rectification, erasure, data portability, etc.
  • Whether the data collected will be used in automated decision-making and profiling.
  • Whether the data collected will be shared or sold to any third party.
  • The business and financial needs behind collecting the data subjects' data.

Security Requirements

The law requires all data handlers to undertake the necessary technical and organisational steps to ensure adequate protection measures are in place for all data being processed.

While the law is ambiguous about the exact measures that need to be taken, data handlers are advised to implement striction encryption across the entire database while ensuring that such data is only accessible to relevant individuals on a need-to basis.

Data Breach Requirements

The German law dictates that any organisation subject to a data breach must inform the regulatory body without any undue delay within 72 hours of the incident. If such an incident is not reported appropriately, the data handler may face a fine of up to €500,000 per incident.

Additionally, all affected data subjects must be informed of the breach and what steps are being taken to prevent a future repeat of the incident.

Data Protection Officer Requirement

There are specific requirements in Germany's data protection law when appointing a Data Protection Officer (DPO). An organisation that employs at least 20 individuals dealing with data processing is legally required to hire a DPO with the proper credentials and professional experience to be employed in that role.

The organizations themselves can determine the necessary level of expertise and compatibility with the company culture, provided the final candidates meet all the requirements.

Data Protection Impact Assessment

Under the law, all data handlers must carry out Data Protection Impact Assessments (DPIA) within their organisation.

Moreover, the DPO should head these efforts and ensure the organisation's data protection mechanisms are up-to-date and remain compliant with the law. A regular record of such assessments must be kept to ensure a consistent degree of compliance within the organisations' data processing activities.

Record of Processing Activities

The data handler must keep a detailed record of all data being collected by them. The record must include the following:

  • Contact details of the data handler and the DPO at the time the data was processed;
  • Purpose of processing;
  • Information on the legal basis for processing;
  • How long the data will be maintained;
  • What security measures are in place to protect the collected data;
  • Categories of personal data and data subjects;

Cross border data transfer Requirements

As per the Schrems II ruling by the European Court of Justice as well as recommendations by the European Data Protection Board, any form of data collected from users within the EU that has to be transferred outside the EU or the European Economic Area has to have a legal justification behind with the following criteria being met:

Data Subject Rights

Like the GDPR, Germany's national interpretation of the law gives several explicit rights to all data subjects. The most important rights include:

Right to Access One's Own Data

All data subjects have the right to access all data that has been collected on them by the data handler. However, the data subject can be denied this request owing to legal or statutory protections around the data in question or if the data in question poses a risk to Germany's national security.

Right to Know Where Data Is Collected

All data subjects have the right to request information on where and which devices the data collected on them originated. This request can be denied if the data in question is subject to legal protections, interferes in the performance of duties by public bodies, or endangers Germany's national security.

Right to Object

The data subject can object to any further collection of their data. However, this request can be denied if the urgent public interest outweighs the data subject's interests.

Right to Request Erasure of One's Own Data

All data subjects have the right to request the data handler to erase any data collected on them. This request can be denied if the request conflicts with the retention period requirements of the data handler, would require an excessive dedication of resources, the data in the request is subject to legal protection, or would adversely affect Germany's national interests.

Right to Object to Automated Decision-Making

The data subject has the right to request an end to all automated decision-making and profiling based on data collected by the data handler.

Regulatory Authority

The new law established the office of the ​​Federal Commissioner for Data Protection and Freedom of Information, with its headquarters in the city of Bonn. It is led by a Federal Commissioner, elected via a vote by the German Bundestag.

Eligibility criteria include being at least 35 years old, appropriate qualifications in the field of data protection law gained through relevant professional experience. The Commissioner's term is for five years, which can be extended once.

The Commissioner has the responsibility to act as the primary office responsible for enforcing the Federal Data Protection Act within Germany. Some of the office's key responsibilities include:

  • Advising the Bundestag, the Bundesrat, and the Federal Government on administrative and legislative measures related to data protection within the country;
  • To oversee and implement both the GDPR and Federal Data Protection Act within Germany;
  • To promote awareness within the public related to the risks, rules, safeguards, and rights concerning the processing of personal data;
  • To handle all complaints raised by data subjects related to data processing in addition to carrying out investigations to find out if any data handler has breached any provisions of the Act;

Penalties for Non-compliance

The GDPR already laid down some stringent penalties for companies that would be found in breach of the law's provisions. More importantly, as opposed to other data protection laws such as the CCPA and CPRA, non-compliance with the law also meant penalties.

Germany's Federal Data Protection Act has a slightly more lenient take in this regard. Suppose a data handler is found to have fraudulently collected data, processed, shared, or sold data without proper consent from the data subjects, not responded or responded with delay to a data subject request, or failed to inform the data subject of a breach properly. In that case, it can be fined up to €50,000.

This is in addition to the GDPR's €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, that any organisation found in breach of the law is subject to.

However, for this fine to be applied, either the data subject, the Federal Commissioner, or the regulatory authority must file an official complaint.

How an Organization Can Operationalize the Law

Data handlers processing data inside Germany can remain compliant with the country's data protection law if they fulfill the following conditions:

  • Have a comprehensive privacy policy that educates all users of their rights and how to contact the relevant personnel within the organisation in case of a query
  • Hire a competent Data Protection Officer that understands the GDPR and Federal Data Protection Act thoroughly and can lead compliance efforts within your organisation
  • Ensure all the company's employees and staff are acutely aware of their responsibilities under the law
  • Conduct regular data protection impact assessments as well as data mapping exercises to ensure maximum efficiency in your compliance efforts
  • Notify the relevant authorities of a data breach as soon as possible

How can Securiti Help

Data privacy and compliance have become incredibly vital in earning users' trust globally. Most users now expect most businesses to take all the relevant measures to ensure the data they collect is properly stored, protected, and maintained. Data protection laws have made such efforts legally mandatory, with organisations designing the best data protection and privacy compliance mechanisms for themselves.

That is an arduous task. However, AI-driven solutions could hold the key towards striking a balance between efficiency and effectiveness. Securiti is a market leader in offering solutions based on its PrivacyOps framework that can help businesses achieve privacy compliance anywhere in the world at the click of a button.

Request a demo today to learn more about how Securiti can help your business.


Frequently Asked Questions (FAQs)

The Federal Data Protection Act of Germany is a data protection law that regulates the processing of personal data within Germany. It supplements and aligns with the requirements of the EU GDPR.

Yes, Germany is covered by GDPR (General Data Protection Regulation). GDPR is a regulation that applies uniformly across all EU member states, including Germany.

The Federal Data Protection Act established the office of the ​​Federal Commissioner for Data Protection and Freedom of Information, with its headquarters in the city of Bonn. It is led by a Federal Commissioner, elected via a vote by the German Bundestag.

Germany's interpretation is the Bundesdatenschutzgesetz (BDSG), the German Federal Data Protection Act. It mirrors the GDPR in all key areas while giving local German regulatory authorities the power to enforce it more efficiently nationally.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.

Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
View More
Australia’s Privacy Act & Consent: Essential Guide for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Australia’s Privacy Act and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New