DSGVO compliance for your German operation.
DPO. ROPA. DPIA.
EU GDPR applied via the German BDSG, with specifics like the 20-employee DPO threshold and § 25 TDDDG cookie rules. Fines up to €20 million or 4% global turnover.
Data protection in Germany is GDPR (Regulation (EU) 2016/679) implemented through the BDSG, with § 25 TDDDG governing cookie consent. Enforcement is active: LfDI Baden-Württemberg, HmbBfDI, BayLDA have issued six-figure fines. Our baseline compliance package gets a new GmbH from zero to audit-defensible in 5 to 7 weeks.
DPO trigger (§ 38 BDSG)
§ 38 BDSG sets a German-specific threshold: DPO mandatory when ≥20 persons are regularly processing personal data, regardless of company size. GDPR Art. 37 triggers DPO for certain categories anyway (large-scale regular monitoring, sensitive data at scale). Many startups cross the threshold earlier than they realise.
Verzeichnis von Verarbeitungstätigkeiten (ROPA, Art. 30 GDPR)
Mandatory in nearly all cases. Documents: purpose, categories of data subjects and data, recipients, international transfers, retention periods, technical and organisational measures. We draft and maintain in English-plus-German bilingual format.
DPIA (Art. 35 GDPR, § 67 BDSG)
Required when processing likely causes high risk to rights of data subjects. Lists maintained by German DPAs: biometrics, employee monitoring, scoring, large-scale sensitive data, AI-supported decision-making. § 67 BDSG provides procedure.
International transfers post-Schrems II
SCCs (EU 2021/914) + Transfer Impact Assessment for third countries. EU-US DPF valid since July 2023 but under ongoing challenge; we advise SCCs + TIA as the resilient baseline even for DPF-listed US vendors.
Cookie consent (§ 25 TDDDG)
Prior consent required for any non-essential terminal-device access. Dark-pattern banners ruled invalid (BGH / CJEU). Consent banner must have equal-prominence reject button. Every client gets a compliant cookie-banner spec in the Tier 1 package.
Breach notification (Art. 33, 34 GDPR)
72 hours to supervisory authority for reportable breaches. Without undue delay to data subjects when high risk. We run the incident-response playbook, clock starts at awareness, not discovery.
Our 3-tier package
Tier 1 Baseline (new GmbH, 5-7 weeks, €4,000-9,000): DPO appointment, ROPA, policies, privacy notice, cookie banner spec, basic Schrems II TIA, training module. Tier 2 Operational (existing entity, +€3,000-8,000): DPIA, SCC drafting, incident-response playbook. Tier 3 Regulated: ongoing DPO retainer €400-1,200/month, works-council coordination, AI Act interplay.
Often booked alongside this one.
Frequently asked questions
When must I appoint a DPO for my German company under § 38 BDSG?
When ≥20 persons regularly process personal data, or when GDPR Art. 37 triggers (large-scale regular monitoring, sensitive data at scale).
Can the DPO be internal or external?
Either. External DPO is common for companies below ~100 employees.
Do I need a ROPA for a 3-person startup?
Yes if you handle personal data of employees, clients, or prospects. The GDPR Art. 30 small-organisation exemption is narrow.
When is a DPIA mandatory under Art. 35 GDPR?
High-risk processing: biometrics, large-scale sensitive data, employee monitoring, AI-decision-making, location tracking. German DPAs publish specific trigger lists.
Can I keep using Google Workspace, Microsoft 365 or Stripe after Schrems II?
Yes, with SCCs and a Transfer Impact Assessment. EU-US DPF adds optional layer but not resilient to legal challenge on its own.
Is the EU-US Data Privacy Framework a safe bet in 2026?
Listed US vendors are currently DPF-covered. We recommend SCCs + TIA overlay regardless, in case of future CJEU invalidation.
What is § 25 TDDDG and how does it change cookie-consent banners?
TDDDG (former TTDSG) transposes ePrivacy. Cookies and similar device storage require prior, informed, freely given consent with equal-prominence reject button.
How fast must I report a data breach to the supervisory authority?
72 hours from awareness under Art. 33 GDPR. Without undue delay to data subjects when high risk.
What are the maximum DSGVO fines and who has been fined in Germany?
Up to €20M or 4% global turnover under Art. 83 GDPR. German fines in the six-figure range are routine; LfDI BW, HmbBfDI, BayLDA active.
How much does DSGVO baseline compliance cost for a small GmbH?
€4,000-€9,000 one-off for Tier 1. External DPO as a service €400-€1,200/month.
Can my lawyer act as DPO?
Yes, subject to conflict-of-interest check and independence requirements.
How does employee monitoring interact with works-council rights (BetrVG § 87)?
Works council has codetermination right on technical monitoring systems. Implementation without works-council agreement can be void and breach DSGVO.
Does the EU AI Act create new data-protection duties?
Yes, phased rollout through 2026-2027. High-risk AI systems have additional transparency and DPIA overlays.
Tell us what you need
Engineered from Berlin, Hamburg, Düsseldorf and Munich. One partner per office, English contract, response within one working day.