SecurePrivacy Logo

German Federal Data Protection Act (BDSG)

View Law Text
Maximum Fine
€20M or 4%
Scope
National
Regulator
BfDI
Framework
GDPR

Need Help with German Federal Data Protection Act (BDSG) Compliance?

Get expert guidance on implementing German data protection requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG) implements and supplements the GDPR in Germany, establishing specific national requirements and enforcement mechanisms.

Key Facts

  • Enacted in 2018 to align with GDPR
  • Enforced by Federal and State Data Protection Authorities
  • Includes specific requirements for employee data

Key Principles

Employee Data Protection

Specific rules for processing employee personal data in the employment context.

Requirements

  • Legal basis for processing
  • Works council involvement
  • Transparency measures
  • Data minimization
  • Storage limitations

Examples

  • Employment contracts
  • Works agreements
  • Privacy notices
  • Retention schedules

Special Processing Operations

Additional requirements for specific types of data processing.

Requirements

  • Video surveillance rules
  • Scoring regulations
  • Credit reporting requirements
  • Address trading limitations
  • Marketing restrictions

Examples

  • CCTV policies
  • Credit assessment procedures
  • Marketing consent forms
  • Data sharing agreements

Federal Authority Requirements

Specific rules for federal public bodies processing personal data.

Requirements

  • Legal basis verification
  • Processing limitations
  • Security measures
  • Documentation requirements
  • Data transfer rules

Examples

  • Processing records
  • Security concepts
  • Transfer agreements
  • Compliance documentation

Compliance Requirements

Data Protection Officer

Organizations must appoint a DPO if they meet specific criteria under BDSG.

Implementation Steps

  • Assess DPO requirement
  • Appoint qualified DPO
  • Register DPO with authority
  • Ensure independence
  • Document appointment

Required Documentation

  • DPO appointment letter
  • Qualification records
  • Registration confirmation
  • Independence documentation
  • Role description

Employee Data Processing

Specific requirements for processing employee personal data under BDSG.

Implementation Steps

  • Identify legal basis
  • Implement safeguards
  • Obtain works council approval
  • Document processing
  • Regular reviews

Required Documentation

  • Processing records
  • Works council agreements
  • Consent forms
  • Review logs
  • Safeguard documentation

Special Categories Processing

Additional requirements for processing special categories of personal data.

Implementation Steps

  • Assess necessity
  • Implement extra safeguards
  • Document legal basis
  • Conduct DPIA
  • Regular monitoring

Required Documentation

  • Necessity assessments
  • Security measures
  • Legal basis records
  • DPIAs
  • Monitoring logs

Enforcement & Penalties

Administrative Fines

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) and state DPAs can impose significant administrative fines.

Penalty Categories

Severe Violations
Up to €20M or 4% of global revenue
For violations of basic principles or data subject rights
Standard Violations
Up to €10M or 2% of global revenue
For violations of technical and organizational measures
Criminal Offenses
Up to 3 years imprisonment
For intentional illegal data transfers or commercial processing

Example Cases

Deutsche Wohnen SE
€14.5 million
2019 - Failure to implement data deletion concept
1&1 Telecom GmbH
€9.55 million
2019 - Insufficient authentication procedures

Additional Measures

Supervisory authorities can impose various corrective measures beyond monetary penalties.

Penalty Categories

Processing Bans
Temporary or Permanent
Prohibition of specific processing activities
Corrective Orders
Mandatory Changes
Orders to bring processing into compliance
Audits
Regular Inspections
Mandatory data protection audits

Example Cases

H&M
€35.3 million
2020 - Employee surveillance and data protection violations
Public Authority
Corrective Order
2021 - Required implementation of technical measures