Germany
E -Privacy and Telecommunications (TTDSG) The Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien- Datenschutz-Gesetz, TTDSG) entered into force on 1 December 2021, consolidating fragmented telecom/telemedia rules. In May 2024, it was renamed Telecommunications and Digital Services Data Protection Act (TDDG). Of particular relevance: § 25 TTDSG implements Article 5(3) ePrivacy Directive, requiring prior consent for cookies and tracking technologies - effectively Germany’s statutory “cookie rule”. The TTDSG also regulates the confidentiality of communications (calls, emails, messaging) and device data. Non- compliance can trigger fines in addition to GDPR penalties. The long- awaited EU ePrivacy Regulation is still under negotiation; until adopted, national rules remain binding. Recent German court rulings and DSK decisions confirm that manipulative “dark patterns” in cookie banners are unlawful. Conclusion and Outlook Germany’s data protection regime is dense and mature, combining the GDPR with national rules and an active regulatory landscape. Key developments in 2023/24 included the invalidity of § 26 BDSG (employment data), the CJEU’s Schufa ruling on credit scoring, and extensive supervisory guidance on AI and cookies.
Case law: In December 2023, the CJEU’s “Schufa” ruling declared that automated credit scoring is unlawful under Article 22 GDPR if it leads to adverse decisions without further human assessment. This has major implications for German credit bureaus and financial institutions. Earlier, in February 2023, the German Constitutional Court struck down provisions in Hesse and Hamburg authorizing automated data analysis by police using AI as unconstitutional, stressing the need for strict legal limits to protect the data of innocent individuals. IT Security (Cybersecurity) Germany has a robust IT security regime under the Federal Office for Information Security Act (BSIG) and two IT Security Acts (2015 and 2021). Operators of critical infrastructure must meet minimum security standards and notify incidents. The NIS2 Directive (December 2022) significantly expands obligations (covering more sectors and more companies). Germany missed the October 2024 transposition deadline; a draft implementation law was only approved in July 2025, expected to apply to approximately 29,000 additional companies. In the meantime, existing BSIG rules apply. Cybersecurity is increasingly viewed as a core element of data protection compliance, as most data breaches result from insufficient security. The BSI’s 2023 report highlighted ongoing threats, particularly ransomware and data theft. Adjacent Areas – Privacy & Security Outlook
www.omf-law.com
Made with FlippingBook - PDF hosting