Stage of legislative progress 
Eg. pre-consultation, in consultation

The German Data Protection Amendment Act ("GDPAA") which implemented the new German Federal Data Protection Act was passed on 5 July 2017 and entered into force on 25 May 2018.

The Parliaments of both the Bund (federal level) and the German Federal States ('Bundesländer', regional level) are now in the process of adapting further specific laws to the GDPR.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

There are only a few opening clauses which have not been used (in particular the opening clause allowing for a reduction of the age limit according to Art. 8(1) subpara. 2). GDPR-regulated areas are combined with out-of-scope-areas such as law enforcement and national security.

At the federal level, the Second German Data Protection Amendment and Implementation Act (latest draft dated October 1st 2018) will adapt more than 150 federal laws (including i.a. the Federal Act Governing Access to Information held by the Federal Government, eGovernment Act, BSI-Act, Social Security Codes, etc.) to  GDPR requirements.

The Federal States are also in the process of changing their laws to meet  GDPR requirements in the public sector. In particular, companies with a business relationship with publicly-owned hospitals should take into account that several Federal States have adapted their Hospital Acts for GDPR compliance.

Timescale for implementation 
Eg. confirmed or estimated dates, deadlines
 The GDPAA was passed on 5 July 2017. The legislative process for the Second German Data Protection Amendment and Implementation Act is still in progress and it is expected to be passed in 2019. There is, however, no set timeline.

Areas where Member States must have local laws:

Personal data and freedom of expression 

Yes -the Act contains a number of specific provisions and exemptions covering processing for press and media related purposes. Please see in particular the respective press acts and media laws of the Federal Sates (e.g. the Hessian Press Act (Hessisches Pressegesetz) and the Media Act of the Federal State of Thuringia (Thüringer Landesmediengesetz), etc.).


Yes - The following criminal offences are included:

§ 42 FDPA: Imprisonment or fine for:
(1) unlawful transfer / making accessible non-publicly available personal data of a large number of individuals for commercial purposes;
(2) unlawful processing of non-publicly available personal data for personal or third party enrichment purposes or with the intention of or harming another person;
(3) Fraudulent obtainment of non-publicly available personal data for personal or third party enrichment purposes or with the intention of or harming another person (personal offences based on responsibility). 

§ 43 FDPA: Fines for failure to handle a subject access request appropriately or to inform a consumer or to inform them fully and correctly within the prescribed time limits.

Areas where Member States may have local laws:

Professional secrecy 

Conditions for processing sensitive data:

§ 22 FDPA permits the processing of sensitive data for a number of specific purposes including the following: preventive medicine, employee work capability assessment, medical diagnosis, health and social care treatments, management of systems, agreements with health professionals (and their staff) where data is provided under the obligation of professional secrecy, and for reasons of public interest in the area of public health (as required, for example, to ensure high quality and security standards for health services, drugs or medical products). However, such processing is only possible if certain safeguards are put in place to protect such data ("suitable and specific" safeguards).

§ 29(2) FDPA limits the data subject information obligation for the transmitting body when transmitting data to lawyers etc.;

§ 29(3) FDPA protects individuals subject to professional secrecy obligations and limits access requests;

§ 13(4) FDPA binds the Federal Commissioner to secrecy.

Scientific, historical or statistical purposes 

§ 27 FDPA permits processing of sensitive data without consent:

- for scientific or historical research purposes; and

- for statistical purposes
if the processing is necessary for these purposes and the data controller’s interest in processing such data significantly outweighs the data subject’s interests.

The data controller must apply certain "suitable and specific" measures to ensure that the data is correctly protected.

The Act also restricts data subjects' rights in the context of  processing for research and statistical purposes, and sets out requirements for the publication of such data.

§ 32-37  FDPA also contain other (general) restrictions of data subjects' rights on the basis of Art. 23 GDPR.


Employment, social security and social protection § 26 FDPA constitutes a basis for the processing of employment data. The new rule more or less keeps the framework of the previous rules on the processing of HR data. The processing of employee data is generally allowed if necessary for establishing, carrying out or terminating the employment relationship (NB: subject to interpretation based on existing case law and guidance of DPAs). The GDPAA maintains the current restrictions for investigations of criminal conduct and now mentions collective agreements as a possible legal basis for the processing of HR data.

§ 26 FDPA also contains certain justifications for the use of special categories of employee data ("sensitive data") and a definition of the term "employee". The GDPAA further provides clarification on consent, such as the circumstances when such consent is “freely given” in an employer-employee relationship. Legal and economic advantages are considered in this respect and in the reasoning of the GDPAA, for example, the GDPAA refers to the use of IT for private purposes or to receive health benefits. Under certain conditions, § 24(2) FDPA permits a change of purposes for sensitive data in an HR context.

Personal data of deceased persons 


Children online


Special rules for special categories of data
§ 22 provides a general framework for the processing of sensitive data, including rules on health data.

Genetic, biometric or health data

Yes - § 22 FDPA provides a general framework for the processing of sensitive data, including rules on health data (no explicit restriction to genetic/biometric data). Such processing is, however, only possible if "suitable and specific" safeguards are taken to protect such data. The safeguards may include technical and organisational measures, pseudonymisation, encryption, or the appointment of a Data Protection Officer ("DPO") etc.

Designation of a Data Protection Officer

§ 38 FDPA: A DPO must always be appointed when (1) more than 10 persons regularly take part in processing personal data; or, regardless of the number of persons involved in the processing of personal data, (2) whenever a DPIA has to be carried out; or (3) whenever personal data is processed to be transferred for commercial reasons, transferred anonymously or for purposes of market research and opinion polls.

This means that the threshold for the appointment of a DPO is much lower in Germany than compared to that of the GDPR. The German legislator has more or less kept the pre-existing framework.

National identification numbers/any other identifier of general application



Any other areas under discussion

Various German Federal laws contain specific data protection provisions in some areas. Sector-specific data protection will continue to be important in the future.

Telecommunications Act ("Telekommunikationsgesetz", "TKG")

Contrary to the previous draft of the Second German Data Protection Amendment and Implementation Act which contained substantial changes to sector-specific data protection rules for the telecommunications sector (sections 91-107 TKG) the current draft of the Federal Government does not include any amendments to the Telecommunications Act. Companies should follow further developments on this.

Telemedia Act ("Telemediengesetz", "TMG")

The TMG contains special data protection regulations for providers of Information Society Services in particular in the online sector ("Telemedia") in Germany. It is controversially discussed whether the data protection provisions of the TMG are applicable alongside the GDPR. The German data protection authorities are of the opinion that the data protection provisions of the TMG do not apply anymore and the (stricter) requirements of the GDPR would need to be met by all Telemedia providers. This is, however, a quite strict interpretation of the law. Which data protection provisions will be superseded by the GDPR and which will remain applicable will need to be assessed on a case by case basis. Companies operating online are strongly recommended to keep an eye on further developments.