BDSG – German Federal Data Protection Act
The BDSG 2018 supplements the GDPR with German opening clause law and regulates data protection in employment contexts, for authorities, and establishes supervisory structures (BfDI, LfDs).
Summary
The Bundesdatenschutzgesetz (BDSG) in its 2018 version is the central German data protection law. It supplements the directly applicable GDPR with national rules utilizing the GDPR's opening clauses and adapts German law to European requirements.
- Supplement to the GDPR: The BDSG regulates areas where the GDPR leaves member states discretion
- Employee data protection (§ 26 BDSG): Special provision for processing employee data
- Supervisory authorities: Federal Commissioner for Data Protection and Freedom of Information (BfDI) for federal authorities; state commissioners (LfDs) for states and private sector
- Criminal law: Supplementary fine and criminal provisions (§§ 42–43 BDSG)
History
The first German Federal Data Protection Act entered into force on January 1, 1978 – as one of the first national data protection laws worldwide. It was strongly influenced by the Federal Constitutional Court's Census Ruling (1983), which recognized the right to informational self-determination as a fundamental right.
With the entry into force of EU Data Protection Directive 95/46/EC, the BDSG was substantially revised in 1990 and 2001. The fundamental reform took place in 2018: the new BDSG (Act of June 30, 2017, Federal Law Gazette I p. 2097) entered into force on May 25, 2018 simultaneously with the GDPR. It replaces the BDSG 2003 and is structured in three parts: general rules (Part 1), transposition of Directive (EU) 2016/680 for law enforcement authorities (Part 2), and special rules for intelligence services (Part 3).
Scope
The BDSG applies to:
- Part 1: Federal public bodies and private entities where the GDPR provides opening clauses
- Part 2: Law enforcement authorities (transposition of JI Directive 2016/680)
- Part 3: Domestic intelligence agencies, BND, MAD (outside GDPR scope)
- § 26 BDSG: All German employers processing employee data
Key Requirements
- § 26 BDSG (employee data protection): Processing of employee data only for establishment, performance, or termination of employment; consent in employment relationships only effective under strict conditions. Note: The CJEU ruled on 30 March 2023 (C-34/21) that § 26(1) sentence 1 BDSG does not meet the requirements of Art. 88 GDPR and is therefore incompatible with EU law and inapplicable.
- § 22 BDSG (special categories): Processing of sensitive data requires explicit legal basis; protective measures such as pseudonymization
- § 38 BDSG (Data Protection Officers): Mandatory from 20 persons regularly engaged in automated data processing (lower threshold than GDPR)
- § 42 BDSG (criminal sanctions): Imprisonment up to 3 years for unauthorized transmission or disclosure of non-publicly accessible data (§ 42(1)); imprisonment up to 2 years or fine for intentional violations under § 42(2)
- § 43 BDSG (fines): Supplementary fine provisions
- BfDI/LfD supervision: Federal/state jurisdictional delineation; complaint and advisory rights
Related Frameworks
Corrections & Errata
1 correction:
- last_amended date outdated (2023 instead of 2024)
2 updates:
- Missing reference to CJEU C-34/21: §26 BDSG incompatible with EU law
- Missing key_dates: BDSG amendments 2024 and 2025
2 clarifications.