Germany: Amendments to the Federal Data Protection Act

On 25 May 2018, various changes in the processing of personal data come into force in Germany. The amendments are based on the entry into force of the Data Protection Regulation and the Data Protection Adjustment Act.

Therefore, companies should review their processes regarding the processing of personal data and, if necessary, adapt them to the new legal requirements.


In principle, data protection is applicable to the collecting and processing of personal data from consumers. Accordingly, the amendment to the Federal Data Protection Act will have an effect in particular in e-commerce.

A significant change is the requirement for the consent of minors. Previously, the consent of minors had been determined by the individual intellectual maturity and insightfulness of the minor. Now an age limit of 16 years will be legally stipulated. Although the member states are entitled to reduce the age limits, they cannot go beyond an age of 13 years. For e-commerce, the regulation means that age verification systems must be integrated into the consent or ordering process and mechanisms must be set up with which representative can be identified and their consent for the minor can be documented.

In addition, the catalogue of the data that must be communicated to the consumer has been extended and a copy of the data process must be handed over to the consumer. Any addition to the data protection catalogue and the legal available to the consumer will of course also lead to new requirements for the data privacy statement, with regard to the duration of data storage and legal remedies.

Employee data protection

This does not only apply to companies facing consumers in their daily business. Even if a company is only active in the B2B area, it must observe the regulations at least with regard to the data of its employees. There had always been regulations on the processing of data of employees as well, however they have not always been observed previously. The list of penalties in form of fines has now been adjusted so that a breach of the data protection rules will be more painful to the company.

The employer is to inform the employee about the Pearl purpose of the data processing as well as about a right of revocation in text form. Information about the right of revocation was often omitted in the past. The relevant information can either be provided as part of a entering into the employment relationship or as part of the service and works agreement. In the same way as in other areas of data protection, the purpose, legal basis and consequences of the data collection and processing must be described and the contact details of the responsible person must be provided. In addition, the Data Protection Act has been extended with regard to the personal applicability and now includes data from temporary workers and volunteers, who provide services under the Federal Voluntary Service Act.


Potentially higher fines now punish a breach of the so-called new Data Protection Act. If up to now fines up to €300,000 were the maximum, from now on fines can be as high as €10 million or 2% of the worldwide annual turnover of the previous financial year. In case of other infringements relating for example to the legitimacy of the data processing, fines up to €20 million or 4% of the global annual turnover of the previous financial years can be imposed.

In order for the technical implications to be made by 28 May 2018, companies should urgently familiarize themselves with the new developments in data protection and initiate necessary steps in order to meet the new requirements.

Contact person: Vanessa Lichter, Rechtsanwältin