What Is GDPR + Bundesdatenschutzgesetz (German Federal Data Protection Act)?
Germany applies the EU GDPR together with the Bundesdatenschutzgesetz (BDSG), which uses the GDPR's opening clauses to add national rules on employee data, video surveillance, credit scoring, and a lower mandatory threshold for appointing a data protection officer. Combined with strong works-council and employee-data protections, Germany is widely seen as the strictest GDPR jurisdiction in Europe. Enforcement is decentralised. The federal BfDI oversees federal bodies, telecoms, and postal services, while each of the 16 Länder has its own independent data-protection authority competent for private companies established in that state (one Land splits public and private sector, hence 17 authorities). The competent regulator therefore depends on where the company is based — for example the Hamburg DPA, Bavaria's BayLDA, or Baden-Württemberg's LfDI. Germany also has distinctive public-record and suppression mechanics: the residents' registration system (Melderegister) lets third parties request basic address data, but residents can file disclosure blocks (Übermittlungssperre) or, where they are at risk, a full information block (Auskunftssperre, §51 Bundesmeldegesetz).
At a glance
- Full name
- GDPR + Bundesdatenschutzgesetz (German Federal Data Protection Act)
- Short code
- BDSG
- Jurisdiction
- Germany
- Enacted
- 2018
- Last major update
- BDSG (new) in force 25 May 2018 alongside the EU GDPR; TTDSG/TDDDG for telemedia
- Regulator
- BfDI (federal) + 17 independent state data-protection authorities (Landesdatenschutzbehörden)
- Private right of action
- Yes
- Statutory citation
- BDSG (2018) + Regulation (EU) 2016/679
Scope, who BDSG covers
Protected data
Data subject rights
Right of access (Article 15) — incl. one free SCHUFA data copy per year
Right to rectification (Article 16)
Right to erasure / right to be forgotten (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object, incl. absolute right for direct marketing (Article 21)
Right to block disclosures from the residents' register (Übermittlungssperre / Auskunftssperre §51 BMG)
Right to lodge a complaint with the competent state DPA or the BfDI (Article 77)
Notable features
Germany's defining features are its decentralised enforcement (17 independent DPAs) and its registration-office suppression tools. Under §51 Bundesmeldegesetz, anyone facing a threat to life, health, or freedom (e.g., stalking victims, at-risk professions) can obtain a free Auskunftssperre that hides their registry address for two years (renewable). Residents can also file targeted Übermittlungssperren to block disclosure for advertising, to political parties, or to address publishers. The land register (Grundbuch) is not public — access requires a legitimate interest.
Enforcement & penalties
Regulator: BfDI (federal) + 17 independent state data-protection authorities (Landesdatenschutzbehörden)
Penalties: GDPR two-tier fines: up to €10M or 2% of global turnover (lower tier) and up to €20M or 4% of global turnover (higher tier), whichever is greater. German DPAs are active enforcers — notable fines include €35.3M (H&M, Hamburg) and the Deutsche Wohnen case that reached the CJEU on the standard for corporate liability.
Private right of action: GDPR Article 82 grants a right to compensation for material or non-material damage, enforceable in the German civil courts. Germany also permits representative actions by qualified consumer associations, and German courts have awarded non-material damages for unlawful processing.
Relevance to data brokers
Address traders ('Adresshändler'), the credit bureau SCHUFA, and directory/people-search services (Das Telefonbuch, Das Örtliche) are all controllers under GDPR + BDSG. The marketing-objection right (Article 21), the Robinsonliste suppression list, and the Melderegister disclosure blocks give German residents strong tools. SCHUFA is additionally constrained by §31 BDSG and a 2023 CJEU ruling limiting automated credit scoring.
Exercise your rights
Remove your data from 500+ brokers for $7
OfflistMe drafts opt-out emails citing BDSG and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.
Request Removal NowFAQ
Who regulates data privacy in Germany?+
A decentralised system: the federal BfDI plus 17 independent state data-protection authorities (one per Land), each competent for private companies established in that state. The right regulator to complain to depends on where the company is based.
How do I hide my address from Germany's residents' register?+
File an Übermittlungssperre at your local Bürgeramt to block specific disclosures (advertising, political parties, address publishers). If you face a threat to your safety, apply for an Auskunftssperre under §51 Bundesmeldegesetz, which fully blocks registry information for two years (renewable) and is free.
How do I get and correct my SCHUFA credit data?+
You are entitled to one free data copy ("Datenkopie") per year under GDPR Article 15. You can dispute inaccuracies and request deletion of outdated entries, and companies need your consent before pulling your SCHUFA score.
Why is Germany considered the strictest GDPR country?+
Because of the BDSG's employee-data and scoring rules, a lower mandatory DPO threshold, strong works-council rights, and 17 active independent supervisory authorities. Together these create more compliance obligations and more enforcement than most EU member states.
Official sources & citations
Other international privacy regimes
BDSG sits in a global ecosystem of data-protection laws. Compare with other jurisdictions that shape cross-border data flows: