Last review date: 17 December 2024
Data privacy: Germany has one data protection authority in each of its 16 states and one federal data protection and information commissioner. From the perspective of private bodies, the "main regulator" is the competent state authority, which has the competence to monitor and enforce compliance with the GDPR. The federal authority is competent to supervise the public bodies of the federation and represents Germany in the European Data Protection Board as joint representative and single point of contact.
- The data protection authority of Baden-Wuerttemberg (https://www.baden-wuerttemberg.datenschutz.de)
- The data protection authority of Bavaria (https://www.lda.bayern.de/de/index.html)
- The data protection authority of Berlin (https://www.datenschutz-berlin.de/)
- The data protection authority of Brandenburg (brandenburg.de)
- The data protection authority of Bremen (datenschutz-bremen.de)
- The data protection authority of Hamburg (http://www.datenschutz-hamburg.de/)
- The data protection authority of Hessia (hessen.de)
- The data protection authority of Mecklenburg-Vorpommern (https://www.datenschutz-mv.de/)
- The data protection authority of Lower Saxony (niedersachsen.de)
- The data protection authority of Northrhine-Westphalia (nrw.de)
- The data protection authority of Rhineland-Palatinate (http://www.datenschutz.rlp.de/)
- Independent data protection center in the state of Saarland (https://www.datenschutz.saarland.de/)
- The data protection authority of Saxony (sachsen.de)
- The data protection authority of Saxony-Anhalt (https://datenschutz.sachsen-anhalt.de/datenschutz-in-sachsen-anhalt)
- The independent center of data protection of Schleswig-Holstein (https://www.datenschutzzentrum.de/)
- The data protection authority of Thuringia (https://tlfdi.de/)
- The federal data protection and information commissioner (https://www.bfdi.bund.de/DE/Home/home_node.html)
Non-personal data: Debatable (for Cookies the data protection authorities usually would be the first ones to claim competence). For the telecommunications sector, mainly the federal data protection and information commissioner (https://www.bfdi.bund.de/DE/Home/home_node.html).
Cybersecurity: Federal Office for Information Security (https://www.bsi.bund.de/EN/Home/home_node.html) and for certain sectors, sector specific authorities, e.g. for the telecommunications sector, the Federal Network Agency.
Last review date: 17 December 2024
Data privacy: We expect an increase in enforcement activities from the data protection authorities, including an increase of fines as well as the use of other corrective powers to continue. We expect the data protection authorities to carry out more random audits to check compliance with data protection law, particularly if triggered by individual complaints or by notified personal data breaches. Additionally we expect more enforcement with regard to data processing in the context of the use of cookies and tracking tools as well as in the context of AI.
Cybersecurity: Prepare for NIS2 and CER requirements.
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
- Staying the same
Are class actions/group actions under data or cyber regulation:
- Increasing
Last review date: 17 December 2024
There are:
Administrative remedies / civil penalties applied by regulators and law enforcement:
These can amount to up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The BSIG as currently in force imposes, for non-compliance with the various breach notification requirements, fines of up to EUR 500,000 (sector-specific laws include comparable administrative fine provisions and may empower regulatory authorities to impose further enforcement measures).
Criminal penalties from regulators and law enforcement:
Pursuant to Sec. 42 German Federal Data Protection Act, certain data protection infringements are considered criminal offences:
Knowingly and without authorization with regard to the personal data of a large number of people which are not publicly accessible:
- transferring the data to a third party, or
- otherwise making them accessible,
for commercial purposes, shall be punishable with imprisonment of up to three years or a fine.
With regard to personal data which are not publicly accessible:
- processing without authorization; or
- fraudulently acquiring,
and doing so in return for payment or with the intention of enriching oneself or someone else or harming someone, shall be punishable with imprisonment of up to two years or a fine.
In addition, other criminal offences might be relevant, e.g., the handling of stolen data: Sec. 202d German Criminal Code stipulates that whoever obtains for himself or someone else, passes to someone else, disseminates or otherwise makes available data (Sec. 202a para. 2) that is not generally available and that has been obtained by someone else through an unlawful act, to enrich himself or a third party, or otherwise harming others, shall be liable to imprisonment not exceeding three years or a fine.
Private remedies:
Individuals may, for example,
- file complaints with the data protection authorities
- claim damages for material or non-material damages.
Certain organizations (e.g., consumer protection bodies) and competitors may issue cease and desist letters and claim for injunctive relief in case the violating party does not sign a cease and desist declaration.
Other:
Works councils can file for preliminary injunctions against employers preventing them from putting into operation data processing systems.