EuroComply
Créer un compte
🇩🇪Deutschland

General Data Protection Regulation Compliance in Germany

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

How does GDPR apply in Germany?

GDPR applies in Germany under EU law with the same obligations as across the bloc — maximum fine €20M or 4% of global turnover. The national supervisory authority is the BfDI (Federal Commissioner for Data Protection), which handles enforcement, complaints, and notifications. Deadline: In force since May 25, 2018.

  • Supervisory authority: BfDI (Federal Commissioner for Data Protection)
  • Maximum fine: €20M or 4% of global turnover
  • Key deadline: In force since May 25, 2018
Supervisory authorityBfDI (Federal Commissioner for Data Protection)
Maximum fine€20M or 4% of global turnover
Key deadlineIn force since May 25, 2018
Sectors affectedAll sectors processing EU personal data
Source: BfDI (Federal Commissioner for Data Protection)Reviewed:
Deadline

In force since May 25, 2018

Max Fine

€20M or 4% of global turnover

Sectors Affected

All sectors processing EU personal data

What are my GDPR obligations in Germany?

  • Maintain records of processing activities (ROPA)
  • Conduct Data Protection Impact Assessments
  • Appoint a Data Protection Officer (if required)
  • Implement data subject rights procedures
  • Report breaches within 72 hours

Who enforces GDPR in Germany?

Competent Land (state) data protection authority (Landesdatenschutzbehörde) (Land DPA)

Official authority website

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) is Germany's national data protection supervisory authority, responsible for overseeing GDPR compliance for federal public bodies and the telecoms sector. Germany also has 16 state-level DPAs (Landesdatenschutzbehörden) for private sector enforcement.

National implementing law

Bundesdatenschutzgesetz (BDSG)

Federal Data Protection Act

Bundesdatenschutzgesetz, Gesetze im Internet

GDPR in Germany: what is different here?

For private-sector companies, the competent GDPR supervisory authority in Germany is the data protection authority of the federal state (Land) in which the company is established; Germany has 16 Land DPAs for the private sector. The BfDI (Federal Commissioner for Data Protection and Freedom of Information) is competent only for federal public bodies and telecom/postal providers.

Source: BfDI — Anschriften und Links der Datenschutzaufsichtsbehörden

Germany supplements the GDPR with the Bundesdatenschutzgesetz (BDSG), which sets national rules on employee data processing (§ 26 BDSG) and the appointment of a data protection officer.

Source: Bundesdatenschutzgesetz, Gesetze im Internet

Under § 38 BDSG, a German company must appoint a data protection officer whenever it constantly employs at least 20 people in the automated processing of personal data.

Source: Bundesdatenschutzgesetz § 38, Gesetze im Internet

What are the GDPR penalties for Germany organisations?

GDPR Article 83 establishes a two-tier fine structure. The upper tier — up to €20M or 4% of global annual turnover — applies to the most fundamental data protection violations including unlawful processing, data transfers, and breach of data subject rights. The lower tier — €10M or 2% — covers procedural and administrative obligations such as recordkeeping, DPO appointment failures, and breach notification delays.

Most serious violations: basic principles, lawful basis, data subject rights, transfers, and obligations under member state law

€20,000,000 or 4% of global annual turnover
Art. 83(5) — EUR-Lex

Administrative and procedural violations: recordkeeping, DPO, breach notification, processor obligations

€10,000,000 or 2% of global annual turnover
Art. 83(4) — EUR-Lex
What is the maximum GDPR fine?

The maximum GDPR fine is €20,000,000 or 4% of global annual turnover — whichever is higher — for the most serious violations under Article 83(5), including unlawful processing, invalid data transfers, and breach of data subject rights.

Who issues GDPR fines?

GDPR fines are issued by national Data Protection Authorities (DPAs), such as Ireland's DPC, France's CNIL, Germany's state DPAs (Landesdatenschutzbehörden), Spain's AEPD, and Italy's Garante. The European Data Protection Board (EDPB) can issue binding decisions in cross-border cases.

Can a small business receive a maximum GDPR fine?

In theory yes, but in practice DPAs apply proportionality. Article 83(1) requires penalties to be 'effective, proportionate and dissuasive'. SMEs typically receive lower fines, but turnover-based fines (4% of global revenue) mean even a €5M-revenue company could face up to €200,000.

Full GDPR penalty breakdown

Common GDPR compliance questions

What are the GDPR Article 32 technical measures for a SaaS company in Frankfurt?

GDPR Article 32 requires SaaS companies to implement technical measures proportionate to risk: encryption of personal data in transit (TLS 1.2+) and at rest; pseudonymisation of production datasets; regular automated backups with tested restore procedures; access control with least-privilege principles and audit logs; and a documented incident response procedure with 72-hour breach notification capacity. For a Frankfurt-hosted SaaS, using an EU-first infrastructure stack — EU LLM, EU database, EU-hosted data — directly reduces Article 32 exposure.

What GDPR compliance software works for EU startups?

EU startups need GDPR software covering data mapping (ROPA under Article 30), DPIA automation (Article 35), processor agreement tracking (Article 28), and breach notification workflows (Articles 33–34). EuroComply is free for up to one system, EU-hosted in Frankfurt, and adds AI Act and NIS2 coverage in one platform. Iubenda (Italian company) covers cookie consent and policy generation from €27.99/yr. For startups that have grown to more than 50 employees, DataGuard (Munich) provides a managed service.

What are GDPR fines for SMEs in 2025?

Under GDPR Article 83, fines fall into two tiers. Less severe infringements carry a maximum of €10M or 2% of global annual turnover, whichever is higher. More severe infringements — core principles, data subject rights, international transfers — carry a maximum of €20M or 4% of global annual turnover. The EDPB's 2023 guidelines clarify that supervisory authorities must account for the organisation's size. Germany (BfDI) and the Netherlands (AP) are the most active enforcement jurisdictions for SME fines.

What is a DPIA under GDPR?

A Data Protection Impact Assessment (DPIA) is a mandatory pre-deployment risk assessment under GDPR Article 35. It is required when processing is likely to result in a high risk to individual rights — large-scale profiling, processing biometric or health data, or systematic monitoring of public areas. A DPIA must describe the processing, assess necessity and proportionality, identify risks and mitigation measures, and record the outcome. Failing to complete a required DPIA is an Article 35 infringement carrying fines of up to €10M or 2% of global turnover.

Does GDPR apply to your Germany business?

Find out in 2 minutes with our free regulation checker.

Check now — free

GDPR compliance in other EU countries

🇫🇷

France

🇳🇱

Netherlands

🇪🇸

Spain

🇮🇹

Italy

🇦🇹

Austria

🇧🇪

Belgium

🇵🇱

Poland

🇸🇪

Sweden

🇮🇪

Ireland

🇵🇹

Portugal

🇩🇰

Denmark

🇫🇮

Finland

🇨🇿

Czech Republic

🇷🇴

Romania

🇭🇺

Hungary

🇸🇰

Slovakia

🇧🇬

Bulgaria

🇭🇷

Croatia

🇬🇷

Greece

🇱🇺

Luxembourg

🇪🇪

Estonia

🇱🇻

Latvia

🇱🇹

Lithuania

🇸🇮

Slovenia

🇲🇹

Malta

GDPR in Germany by Industry

GDPR for SaaS & Software in Germany
GDPR obligations and guidance for SaaS & Software organisations in Germany
GDPR for HR & Recruitment in Germany
GDPR obligations and guidance for HR & Recruitment organisations in Germany
GDPR for Healthcare & MedTech in Germany
GDPR obligations and guidance for Healthcare & MedTech organisations in Germany
GDPR for E-commerce & Retail in Germany
GDPR obligations and guidance for E-commerce & Retail organisations in Germany
GDPR for Fintech & Financial Services in Germany
GDPR obligations and guidance for Fintech & Financial Services organisations in Germany
GDPR for Legal & Professional Services in Germany
GDPR obligations and guidance for Legal & Professional Services organisations in Germany
View full GDPR compliance guide

Check Your Compliance Obligations

Find out which GDPR obligations apply to your Germany organisation in under 2 minutes.

Run EU Compliance Checker

Explore GDPR Compliance

GDPR Complete Guide
Full compliance guide, applicability matrix, and 20+ FAQs
GDPR Penalties
Maximum fines and enforcement by member state
GDPR Timeline
Key deadlines and compliance milestones
All EU Regulations
Browse all EU regulations covered by EuroComply

For informational purposes only. This is not legal advice — consult qualified legal counsel.