DE  |   -- EN  |   -- RU

German Privacy Law

The flourishing of data protection laws

Since the mid-1980s, data protection laws have flourished in Germany and Europe. The multitude of EU and German directives has made data protection law one of the most complex legal fields in Germany and the European Union.

The basic principle is simple: any storage, transmission or modification of data is prohibited, unless an exception applies. But because of the large number of laws and directives – as well as the potential for fines, criminal penalties and reputational damage – great care is necessary when determining whether a legal exception applies.

Historically, the authorities tasked with enforcing data protection laws used their enforcement mechanisms sporadically. In recent years, however, enforcement actions are on the rise. Simultaneously, the EU and German legislative bodies have introduced new fines and criminal penalties. 

Creating a data protection concept for your company

Every company must comply with German data protection laws, regardless of how many employees it has. And any company with at least ten employees must appoint a data protection officer.

Given these legal requirements and increased enforcement actions, it is essential that every company create a data protection concept that is legally compliant, practicable and tailored to its individual needs. Our experienced attorneys can help you develop a data protection concept and address all of your other data protection matters, including:

  • bringing labor contracts into line with data protection law
  • drafting data protection and data privacy programs and policies for your company, including training materials
  • drafting a declaration of consent form for dealings with clients, vendors and business partners
  • drafting a confidentiality agreement to ensure non-disclosure of protected data
  • drafting guidelines and contract clauses that are compliant with data protection law (e.g. Section 11 of the German Federal Data Protection Act)
  • assistance with the implementation of a company-wide data protection program, including on-site training and support
  • drafting guidelines for the implementation of control measures required by the appendix to Section 9 sentence 1 of the German Federal Data Protection Act
  • drafting guidelines for the transmission of personal data to another country so that such transmissions comply with sections 4b and 4c of the German Federal Data Protection Act)

Your website, the German Telemedia Act and data protection laws

The German Telemedia Act compels companies, associations and societies to disclose on their websites how they intend to use the data of their website visitors. Thus, every company with a webpage needs a website privacy policy that satisfies the requirements of the German Telemedia Act and the German Federal Data Protection Act.

Entities covered by the Act include businesses, societies, associations, non-profit organizations (foundations, non-profit limited liability companies (gGmbH), non-profit entrepreneurial companies (gUG)) and non-profit cooperative associations. Our experienced attorneys regularly review and draft new privacy policies for the websites of companies in a wide-variety of industries and sectors and can gladly advise you on which practices and policies you can engage in while remaining legally compliant.


Privacy and Cyber Security in Germany 2019

(Chapter in the the Law Review series)

Our privacy experts contributed a chapter to the handbook The Privacy, Data Protection and Cybersecurity Law Review. Read here for free

Data protection concept for societies and associations in Germany

Associations, societies and other non-profit organizations are subject to the same data protection laws as commercial enterprises. While the German data protection authorities have historically focused their enforcement actions on commercial enterprises, in recent years they have also audited and initiated enforcement actions against societies and associations.

Our attorneys have years of experience working with nonprofits. Let us use our experience to help you develop a data protection concept that is both legally compliant and suitable for your nonprofit’s particular activities.

Fundraising restrictions

The German Federal Data Protection Act provides carve-outs and privileges for fundraising activities. However, fundraisers must also comply with the German Unfair Competition Act. As a result, fundraising activities which may be unobjectionable under data protection laws may still constitute unfair competition with other fundraisers. Our attorneys can review your prospective and existing advertising and fundraising efforts to ensure that they are legally compliant.

Special data protection for particularly sensitive data

Sensitive information concerning ethnicity, political opinions, religious or philosophical beliefs, union membership, health or sex life are especially protected under data protection law. For example, medical records or data from scientific studies using human research subjects are subject to special safeguards within health data protection law. Our attorneys are versed in the special rules that apply to sensitive data and can review your collection, use and storage of sensitive data to ensure compliance with data protection law

In-house training on data protection law

Our attorneys can also provide on-site training courses on German and EU data protection law. For more information about trainings or any of the services mentioned above, feel free to contact us.

Your German data protection attorney

Our data protection experts Attorney Olga StepanovaAttorney Lars Gerbe and Attorney Patricia Jechel​​​​​​​ will be pleased to help you with any matters regarding data protection law. You can contact us via e-mail ( or by phone (+49 (0)69 76 75 77 80). Do not hesitate to contact us!

"Privacy Law":Recent blog posts

German Telecommunications Telemedia Data Protection Act Simplifies Consent to Cookies

- Olga Stepanova

German Telecommunications Telemedia Data Protection Act Simplifies Consent to Cookies

Compensation For GDPR Damages Only in The Event of Damage That Has Actually Occurred

- Patricia Jechel

Compensation For GDPR Damages Only in The Event of Damage That Has Actually Occurred

Do Companies in Germany Need to Report Ransomware Attacks?

- Olga Stepanova

Do Companies in Germany Need to Report Ransomware Attacks?


1652976208 > 1656540000

WINHELLER and "Steuerberater Matussek" from Aalen have joined forces





Juve AwardLegal 500 Germany 2019
azur100: Top Employer for Lawyers 2021


Stay up to date with our quarterly German Business Law newsletter!

Subscribe for free