Regulators, Enforcement Priorities and Penalties
Jump to
Regulators, Enforcement Priorities and Penalties Start Comparison
Who are the main data privacy, non-personal data and/or cybersecurity regulator(s) in the jurisdiction?

Last review date: 17 December 2024

Data privacy: Germany has one data protection authority in each of its 16 states and one federal data protection and information commissioner. From the perspective of private bodies, the "main regulator" is the competent state authority, which has the competence to monitor and enforce compliance with the GDPR. The federal authority is competent to supervise the public bodies of the federation and represents Germany in the European Data Protection Board as joint representative and single point of contact.

Non-personal data: Debatable (for Cookies the data protection authorities usually would be the first ones to claim competence). For the telecommunications sector, mainly the federal data protection and information commissioner (https://www.bfdi.bund.de/DE/Home/home_node.html).

Cybersecurity: Federal Office for Information Security (https://www.bsi.bund.de/EN/Home/home_node.html) and for certain sectors, sector specific authorities, e.g. for the telecommunications sector, the Federal Network Agency.

How active is each of the regulator(s)?

Last review date: 17 December 2024

Moderately active

What are each of the regulator's anticipated enforcement priorities for the next 12 months?

Last review date: 17 December 2024

Data privacy: We expect an increase in enforcement activities from the data protection authorities, including an increase of fines as well as the use of other corrective powers to continue. We expect the data protection authorities to carry out more random audits to check compliance with data protection law, particularly if triggered by individual complaints or by notified personal data breaches. Additionally we expect more enforcement with regard to data processing in the context of the use of cookies and tracking tools as well as in the context of AI.

Cybersecurity: Prepare for NIS2 and CER requirements.

What trends are you seeing in regulatory investigations relating to data & cyber?

Regulatory investigations or direct enforcement activity by data or cyber regulators are:

  • Staying the same

Are class actions/group actions under data or cyber regulation

  • Increasing
What are the potential penalties/remedies for non-compliance with the key data and cybersecurity laws in the jurisdiction?

Last review date: 17 December 2024

There are:

Administrative remedies / civil penalties applied by regulators and law enforcement:

These can amount to up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The BSIG as currently in force imposes, for non-compliance with the various breach notification requirements, fines of up to EUR 500,000 (sector-specific laws include comparable administrative fine provisions and may empower regulatory authorities to impose further enforcement measures).

Criminal penalties from regulators and law enforcement:

Pursuant to Sec. 42 German Federal Data Protection Act, certain data protection infringements are considered criminal offences:

Knowingly and without authorization with regard to the personal data of a large number of people which are not publicly accessible:

  • transferring the data to a third party, or
  • otherwise making them accessible,

for commercial purposes, shall be punishable with imprisonment of up to three years or a fine.

With regard to personal data which are not publicly accessible:

  • processing without authorization; or
  • fraudulently acquiring,

and doing so in return for payment or with the intention of enriching oneself or someone else or harming someone, shall be punishable with imprisonment of up to two years or a fine.

In addition, other criminal offences might be relevant, e.g., the handling of stolen data: Sec. 202d German Criminal Code stipulates that whoever obtains for himself or someone else, passes to someone else, disseminates or otherwise makes available data (Sec. 202a para. 2) that is not generally available and that has been obtained by someone else through an unlawful act, to enrich himself or a third party, or otherwise harming others, shall be liable to imprisonment not exceeding three years or a fine.

Private remedies:

Individuals may, for example,

  • file complaints with the data protection authorities
  • claim damages for material or non-material damages.

Certain organizations (e.g., consumer protection bodies) and competitors may issue cease and desist letters and claim for injunctive relief in case the violating party does not sign a cease and desist declaration.

Other:

Works councils can file for preliminary injunctions against employers preventing them from putting into operation data processing systems.

If data subjects have private remedies, what form can these remedies take?
  • individual personal actions
  • representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)