Germany

BfDI oversees federal authorities and telecoms. 16 state DPAs handle private sector and state government. Known for rigorous enforcement and detailed guidance.

GDPR consent rules apply strictly. BDSG adds specific provisions for employment data consent. German DPAs take strict interpretation of legitimate interests.

Full GDPR rights apply. BDSG provides some limitations for archiving, research, and public interest. Works councils have role in employee data matters.

GDPR transfer rules apply. German DPAs are among the strictest interpreters of Schrems II. SCCs require supplementary measures.

GDPR 72-hour notification applies. Additional BDSG provisions for federal agencies. State DPAs have published detailed breach handling guidance.

GDPR DPO rules plus BDSG requirement: DPO mandatory when 20+ persons regularly process personal data (lower threshold than GDPR alone).

Germany has set the GDPR Article 8 age at 16. Parental consent required for information society services targeting children.

Active enforcement by state DPAs. Notable fines include H&M (EUR 35.3M by Hamburg DPA for employee surveillance) and Deutsche Wohnen (EUR 14.5M by Berlin DPA).

TTDSG (Telecom/Telemedia Data Protection Act) for digital services. Employee data protection under BDSG Section 26. Healthcare, banking, and telecom have additional rules.

TTDSG Section 25 implements strict cookie consent requirements. Planet49 CJEU ruling originated from German case. Active enforcement of cookie rules.

GDPR Article 22 rights apply. EU AI Act implementation underway. Germany active in AI governance discussions.

No data localisation requirement beyond GDPR transfer restrictions. Some government data may have residency requirements.

No direct equivalent. DPO requirement threshold (20+ regular data processing employees) acts as a de facto distinction for larger processors.

BDSG Part 2 governs federal public bodies. State data protection laws govern state/local government. Strict oversight by respective DPAs.