The New Germany Privacy Act: BDSG or Bundesdatenschutzgesetz

By David Tremont posted 02-06-2020 14:13


As we all know and unless you were hiding in a cave you no doubt have heard about the enactment of the General Data Protection Regulation (GDPR), in May of 2018.  What you may not have known is the EU left 70 opening clauses which allow the EU-Member States to enact national privacy rules to supplement and modify the GDPR.  The extensive use of opening clauses by the EU-Member States may result in a variety of national privacy laws that require a higher privacy implementation and compliance effort for international private companies.

Well, the German legislators made use of the opening clauses to create a new Germany Privacy Act known as BDSG-new.  This will replace the older BDSG and it was mainly written for private companies located in Germany.  Now you might be wondering the name of the abbreviation BDSG, that name is Bundesdatenschutzgesetz.  Please do not ask me to pronounce it, I would definitely not do it justice.  (thank goodness this is a blog post)

Basically, the objective of the new BDSG is to align itself with GDPR regulations as it relates to assisting in making Germany a better location for businesses and to support new digital developments, however, the rules of the BDSG-new does not apply if the GDPR is applicable because the GDPR is considered a superior rule of law.  This was intentional for member states to make applicable changes they deem necessary for their respective countries’ privacy regulations and laws.

 Here are the main areas (provisions) of the law.[1]

  • video surveillance of a public place,
  • data processing for other purposes, than initially intended,
  • data processing in the context of employment,
  • data processing related to consumer credits, scoring and credit checks,
  • limitation of rights of the data subject,
  • designation of a Data Protection Officer (DPO),
  • administrative fines, criminal provisions,
  • procedural rules for private and public lawsuits.

The other unique difference with the GDPR is that certain data protection violations are considered criminal offenses and violators can be sentenced to up to three years in prison and/or a very large fine. The violation has to be a blatant transfer of private data to a third-party for the purpose of making the data available for commercial use or fraudulent use of the data to harm someone.

More changes are coming from the German legislators.  We will be following this new law and others as well, as information becomes available.  I hope this can explain some key differences with this law if you are a privately held company, firm operating in Germany or have plans to do so in the near future. 

Please visit for more about the BDSG law.

To understand the main differences of GDPR vs BDSG go to the link below.

[1] Information provided by Dr Söntje Julia Hilberg