Germany playbook: BDSG, TDDDG, and what the German DPAs actually enforce

Germany is the largest single market in the European Union, with roughly 84.6 million residents, and it has the most fragmented data protection enforcement landscape of any member state. There is one federal supervisory authority — the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, abbreviated BfDI — and sixteen state-level authorities, one per Bundesland. The state authorities are the ones most operators encounter first, because most private-sector controllers fall under state-level supervision rather than federal.

This playbook is a working operator's view of what that means in practice: which authority you talk to, which laws apply on top of GDPR, and what the German DPAs have actually been enforcing.

The legal stack

Three pieces of legislation matter, in this order of specificity.

The European Union's General Data Protection Regulation applies directly in Germany as in every member state. The substantive rules on lawful basis, data subject rights, and accountability come from here.

2. Bundesdatenschutzgesetz (BDSG)

The BDSG is the German federal data protection act. It implements the opening clauses of GDPR — the places where the regulation explicitly invites member states to legislate — and adds rules on employee data, video surveillance, and the role of the Datenschutzbeauftragter. Two practical consequences for operators:

Mandatory DPO appointments are broader than under GDPR Art. 37. Under BDSG § 38, any controller in Germany with at least 20 employees regularly processing personal data with automated means must appoint a Datenschutzbeauftragter. This threshold is German-specific and catches many SMBs that would not need a DPO in Spain or Italy.
Employee data is governed by BDSG § 26, which sets out specific requirements for processing personal data in the employment context.

3. TDDDG (formerly TTDSG)

The Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, abbreviated TDDDG, is the German implementation of ePrivacy Directive Art. 5(3) — the cookie law. It was renamed from TTDSG in 2024 to reflect its expanded scope to digital services more broadly.

For website operators, the operative provision is TDDDG § 25, which requires opt-in consent before any storage on or access to information on a user's terminal equipment, except where strictly necessary. This is the rule under which cookie banners are evaluated in Germany.

The German DPAs have, in joint guidance from the Datenschutzkonferenz (DSK), most prominently in the DSK statement of 11 July 2023 on telemedia services, taken the position that:

"Strictly necessary" is read narrowly — basket cookies, session tokens, and CSRF cookies qualify; analytics, even first-party analytics, generally do not.
A reject button must be on the same banner layer as the accept button.
Pre-ticked boxes and "by continuing to browse, you consent" notices do not constitute consent.

Who supervises whom

The supervisory map matters because complaints get routed to the authority where the controller is established, not where the data subject resides.

Federal authority — BfDI. Supervises federal public bodies, telecommunications providers, and postal service operators. For a typical commercial website operator, the BfDI is not your supervisor.
State authorities — sixteen Landesdatenschutzbeauftragte. Supervise private-sector controllers and state-level public bodies. The most prominent are the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) for private controllers in Bavaria, the Hessischer Beauftragter für Datenschutz und Informationsfreiheit (HBDI), and the Berlin commissioner (BlnBDI), which sees a disproportionate share of tech-sector cases simply because so many German tech companies are seated in Berlin.

If your German legal entity is in Munich, you talk to BayLDA. If it is in Frankfurt, you talk to HBDI. If you have no German establishment but you direct services into the German market, the lead supervisory authority outside Germany applies through the GDPR one-stop-shop mechanism — but a German user can still complain locally, and the German DPA will route the complaint.

Recent enforcement trends

Three areas have been visible in German enforcement.

German DPAs have published guidance and decisions on banners that buried the reject button or pre-loaded trackers. Specific orders, fines, and case details are documented in the authorities' annual reports.

The pattern that draws enforcement is the one our scanner flags as pre_consent_tracking: the banner appears, but the network is already busy.

Risk score: 78 / 100

The risk score is a scanner-internal signal; it is not a legal determination. The underlying network capture — which requests fired before the consent decision and what they carried — is the artefact a regulator or DPO would examine.

Employee data continues to be a federal-attention area

The BfDI and several state authorities have published guidance on employee monitoring tools, time-tracking, and the use of generative AI on employee data. Operators using HR platforms with global vendors should expect questions about transfers and about the lawful basis under BDSG § 26 rather than vanilla GDPR Art. 6(1)(f).

Transfers to the United States

Even after the EU-US Data Privacy Framework took effect in July 2023, German DPAs have continued to scrutinize US transfers. For transfers to non-EU countries without an adequacy decision, a Transfer Impact Assessment under SCCs is the bar German DPAs have applied since Schrems II. For transfers to the United States, the EU-US Data Privacy Framework provides adequacy specifically for recipients certified under it; transfers to non-certified US recipients still ride on SCCs with supplementary measures. Operators relying on SCCs alone, without documented analysis, should expect questions.

Operator checklist

If you operate in or into the German market, the practical short list:

Confirm whether your DPO appointment threshold has been crossed under BDSG § 38, not just GDPR Art. 37.
Audit your consent banner against TDDDG § 25 and the DSK guidance: reject must be on the same layer as accept, no pre-loaded trackers, no nudging.
Identify which state authority supervises your German legal entity, and read their published focus areas — they vary.
Document your transfer mechanism for any US-based processor.
Run a scan of your German-language landing pages and compare against the pre-consent tracking knowledge article.

The German market is large, sophisticated, and well-supervised. German DPAs publish guidance on cookie-banner compliance and have issued enforcement orders against operators whose banners did not meet that guidance. The pattern that works is the simple one: load nothing non-essential, ask clearly, respect the answer.