PROFILE
The federated structure
German data protection law is built on the constitutional principle of federal sovereignty (Bundesstaatlichkeit), under which the 16 Länder retain extensive jurisdiction over matters within their territory. For data protection, this translates into a federated supervisory architecture. The Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) is the federal-level data protection commissioner, with jurisdiction over federal public bodies, federal agencies, telecoms providers, postal services and certain federally-regulated financial entities. Each of the 16 Länder has its own data protection authority, with jurisdiction over the private sector and Land-level public bodies within that Land.
A controller's relevant supervisory authority in Germany is therefore determined by its sector (federal-regulated entities go to the BfDI) and by its establishment Land (private-sector controllers go to the Land DPA where their German main establishment is located). For multi-Land operations, lead-authority rules under German law and DSK coordination resolve overlapping jurisdiction. For cross-border GDPR matters under Article 56, the controller's German main-establishment Land DPA acts as Germany's lead authority for that inquiry.
Coordination among the 17 authorities is provided by the Datenschutzkonferenz (DSK), a permanent body that brings together the BfDI and the Land DPAs. The DSK publishes agreed positions, interpretive guidance, and standardised approaches on recurring issues. The DSK does not have direct enforcement jurisdiction; its outputs inform the practice of the individual authorities. For EDPB representation, Germany is represented by the BfDI (typically as the federal voice) coordinated with the Länder positions through the DSK.
Fining philosophy and pattern
German enforcement is notable for the textual precision and analytical depth of its decisions, and for an underlying procedural caution that often produces longer pre-fine investigation timelines than (say) the French CNIL. The federated structure means that fining patterns vary across the Länder: Hamburg and Berlin have historically been among the more active Land DPAs, Lower Saxony and Hesse periodically produce significant decisions, and smaller Länder (Saarland, Bremen, Mecklenburg-Vorpommern) handle proportionally fewer high-profile matters.
The aggregate fine total for Germany is modest relative to Ireland or Luxembourg, both because German fines have generally been smaller and because the federated structure does not produce single-DPA cumulative leaderboards comparable to the DPC. German jurisprudence is nevertheless influential: German decisions are often the first detailed treatment of recurring private-sector issues (employment monitoring, customer-authentication, video surveillance), and German courts have produced significant jurisprudence on the corporate-fault question that referred to the CJEU in the Deutsche Wohnen line of cases.
Headline German decisions
H&M Hennes & Mauritz Online Shop A.B. & Co. KG (Hamburg, October 2020): €35.3 million for systematic monitoring of warehouse-employee personal circumstances (illnesses, religious affiliations, family details) recorded by supervisors over years in a network drive accessible across the management team. The decision is the largest German GDPR fine and the leading authority on employment-monitoring excess.
Notebooksbilliger.de (Lower Saxony, January 2021): €10.4 million for excessive and inadequately-justified video surveillance of warehouse, sales-floor and office areas. The decision applies Article 5 minimisation to physical surveillance in a retail-operations context.
1&1 Telecom GmbH (BfDI, December 2019): €9.55 million for inadequate customer-authentication procedures in call-centre operations, allowing impersonators to obtain personal information about subscribers by providing only basic verifying details. The fine was reduced to €900,000 by the Bonn Regional Court in November 2020 on the basis that the original fine was disproportionate to the gravity of the infringement. The case is one of the most-discussed German appeal-stage reductions.
Deutsche Wohnen SE (Berlin, October 2019): €14.5 million for retention of tenant data without lawful basis in an outdated property-management system. The decision was vacated by the Berlin Regional Court in February 2021 on the German-criminal-procedure-law point about corporate liability. The CJEU subsequently ruled in Case C-807/21 (December 2023) that direct corporate liability without a natural-person-fault finding is compatible with GDPR. The case continues on remand.
Sectoral enforcement patterns
German DPAs have been particularly active on employment-data matters (employer-monitoring of workers' private circumstances, employee video surveillance, biometric attendance), tenant data (Deutsche Wohnen and related property-management cases), customer-authentication in telecoms and financial services, and unsolicited marketing under the UWG (the German Unfair Competition Act, layered over the ePrivacy framework).
Cookie-consent enforcement in Germany is governed by the Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG), the German implementation of Article 5(3) ePrivacy. Enforcement is split between the Land DPAs (for the consent dimension) and the Federal Network Agency (for some telecoms aspects). The German cookie standard tracks the EDPB and CNIL standards on freely-given consent, with the "refuse as easily as accept" principle applied across Land DPA decisions.
Recent enforcement trends
The German DSK's 2024-2026 priorities include AI systems (joint position on AI Act implementation), employment biometrics and emotion-recognition, connected vehicles, smart-meter and energy-data processing, and the application of GDPR to ChatGPT and other generative-AI providers. Several Land DPAs have opened inquiries into Italian and US AI providers under Article 3 extraterritoriality principles parallel to those in the Italian Garante's work.