Federal Data Protection Act (BDSG): Obligations, Thresholds, and Its Relationship to the GDPR

The German Federal Data Protection Act (BDSG) in the version of 25 May 2018 forms, together with the General Data Protection Regulation (GDPR), the two-tier data protection law in Germany. The GDPR sets the European framework; the Federal Data Protection Act (BDSG) uses the national opening clauses to specifically regulate employment data protection, video surveillance, credit scoring, and the appointment obligation for the company Data Protection Officer.

For companies with 20 or more persons engaged in the processing of personal data, § 38 Federal Data Protection Act (BDSG) is the most important provision in the entire Act: it obliges them to appoint a Data Protection Officer. If this certificate is missing, an administrative offence has already been committed — regardless of whether the data processing is otherwise unimpeachable. This article explains the structure and requirements of the Federal Data Protection Act (BDSG), the interface with the GDPR, and shows how companies can fulfil the appointment obligation in a legally compliant manner.

The German Federal Data Protection Act (BDSG) 2018 is divided into three parts comprising 88 sections in total. Part 1 (§§ 1–21) contains general provisions and principles that run throughout the entire Act. Particularly relevant is § 1(2) Federal Data Protection Act (BDSG), which clarifies the relationship with the GDPR: the Federal Data Protection Act (BDSG) applies in a supplementary and modifying capacity, not as a displacing measure. For companies, this means: compliance with the GDPR does not automatically fulfil all Federal Data Protection Act (BDSG) requirements.

Part 2 (§§ 22–44) governs the processing of personal data by private bodies and federal public bodies. This is where the national opening clauses are found: § 26 Federal Data Protection Act (BDSG) on employment data protection (Art. 88 GDPR), § 25 Federal Data Protection Act (BDSG) on video surveillance of publicly accessible spaces, § 27 Federal Data Protection Act (BDSG) on scientific processing, as well as §§ 32–37 Federal Data Protection Act (BDSG) on restricted data subject rights in certain situations. The opening clauses are not a subordination of the Federal Data Protection Act (BDSG) but a deliberate exercise of national discretion.

Part 3 (§§ 45–84) implements EU Directive 2016/680 (the Law Enforcement Directive) and applies to data processing by police and criminal prosecution authorities. Part 3 has no direct relevance for commercial enterprises. Exceptions apply to private security service providers acting on behalf of public authorities.

For SMEs, §§ 26, 38, and 43 Federal Data Protection Act (BDSG) are the most frequently audited provisions. § 38 determines the appointment obligation, § 43 the fine framework. Those who know both, document them, and can demonstrate a named DPO lay the foundation for a legally valid Data Protection Officer appointment. The auditor calls — the evidence is ready.

§ 38(1) Federal Data Protection Act (BDSG) obliges companies to appoint a Data Protection Officer if at least 20 persons are regularly engaged in the automated processing of personal data. The threshold relates to the number of persons engaged in data processing, not to the total workforce. A company with 18 office employees who have access to CRM, ERP, and email quickly exceeds this threshold — a misconception that frequently arises in audit proceedings.

In addition, the appointment obligation under § 38(1) sentence 2 Federal Data Protection Act (BDSG) applies regardless of the number of employees if the company carries out processing operations that require a data protection impact assessment under Art. 35 GDPR. Supervisory authorities publish lists of processing types that regularly require a DPIA. Typical triggers include: systematic profiling, large-scale biometric processing, and extensive monitoring systems.

The appointment obligation under Art. 37 GDPR applies additionally for certain categories regardless of thresholds: public bodies, companies with extensive processing of special categories of data under Art. 9 GDPR, and companies that systematically monitor individuals on a large scale. In practice, the § 38 threshold is the decisive trigger for most private SMEs.

Documentation is critical: § 38 Federal Data Protection Act (BDSG) does not require a specific form, but under the accountability principle of Art. 5(2) GDPR the appointment must be demonstrable. Supervisory authorities expect a dated, signed appointment certificate with the role designation and reporting line. Appointment certificate, signed, filed, verifiable.

§ 5 Federal Data Protection Act (BDSG) governs the appointment of the Data Protection Officer and refers to Arts. 37–39 GDPR. The DPO must possess expert knowledge of data protection law and practice, as required by Art. 37(5) GDPR. The Federal Data Protection Act (BDSG) does not elaborate on this requirement further; however, the Data Protection Conference (DSK) has published guidance notes requiring knowledge of data protection law, IT security, and the specific operational environment of a company. Inadequate qualification may render the appointment invalid.

§ 6 Federal Data Protection Act (BDSG) ensures that the DPO may not be dismissed or penalised for performing his or her duties. This protection against dismissal also applies to external DPOs appointed via a service provider. A company may not terminate its external DPO because that person identifies uncomfortable data protection issues. A termination for this reason is invalid and can itself lead to fine proceedings.

§ 7 Federal Data Protection Act (BDSG) permits the appointment of a group as joint Data Protection Officers. This constellation is relevant in corporate groups where several subsidiaries wish to appoint a shared DPO. Each participating company remains independently responsible; the joint DPO may not create irresolvable conflicts of interest between the companies.

For companies without their own data-protection-compliant specialist, an external DPO offers the practical alternative: qualification, structural independence, and proof of appointment without internal conflicts of interest. The external Data Protection Officer via CIVAC brings all formal prerequisites and is formally appointed in writing within two business days.

§ 26 Federal Data Protection Act (BDSG) is the national opening clause for Art. 88 GDPR and governs the processing of personal data in employment relationships. The provision permits processing where it is necessary for the establishment, performance, or termination of the employment relationship, or where the data subject has given effective consent. Both conditions require an explicit balancing of interests and its written documentation.

In practice, this means: payroll processing, personnel files, recording of sick leave, and performance appraisals are generally permissible under § 26(1) Federal Data Protection Act (BDSG), provided the data minimisation principle under Art. 5(1)(c) GDPR is observed. Keyloggers, permanent email monitoring, or GPS tracking without a transparent and documented legal basis are problematic. Reading private device data on company phones without a clear legal basis is also impermissible.

Particularly sensitive is the processing of employees' health data, for example in the context of workplace reintegration management (BEM) or the recording of illness-related absences. § 26(3) Federal Data Protection Act (BDSG) requires appropriate protective measures and a documented necessity assessment. This documentation belongs in the record of processing activities under Art. 30 GDPR.

Under Art. 39 GDPR, the Data Protection Officer has the task of advising the company on questions relating to § 26 Federal Data Protection Act (BDSG) and continuously monitoring compliance. Companies without an appointed DPO lack this control point; works agreements on IT use or video surveillance are then concluded without a data protection quality review. Such agreements may be challenged retrospectively.

The relationship between the Federal Data Protection Act (BDSG) and the GDPR follows the principle of primacy of EU law: where the GDPR provides exhaustive regulation, the Federal Data Protection Act (BDSG) may not deviate. Where the GDPR leaves national discretion, the Federal Data Protection Act (BDSG) fills these gaps with German provisions that must be compatible with Union law. This principle is occasionally a source of interpretive uncertainty in German data protection law.

Germany has made use of 22 opening clauses of the GDPR. The most significant are: employment data protection (Art. 88 GDPR → § 26 Federal Data Protection Act (BDSG)), processing for scientific purposes (Art. 89 GDPR → § 27 Federal Data Protection Act (BDSG)), special provisions for public bodies (Art. 6(2) GDPR → §§ 3, 22 Federal Data Protection Act (BDSG)), and restrictions on data subject rights in exceptional cases (§§ 32–37 Federal Data Protection Act (BDSG)). Each of these clauses can become relevant in day-to-day business.

In practice, tensions arise primarily in the interpretation of § 26 Federal Data Protection Act (BDSG): labour courts and data protection authorities sometimes interpret this provision differently. In case of doubt, the GDPR takes precedence; § 26 Federal Data Protection Act (BDSG) only applies insofar as it is compatible with the GDPR. The European Court of Justice has clarified in several decisions that national opening clauses may not lower the level of protection afforded by the GDPR.

For compliance officers, the rule therefore applies: the GDPR and the Federal Data Protection Act (BDSG) must be read and implemented together. A record of processing activities under Art. 30 GDPR must also identify the national legal bases from the Federal Data Protection Act (BDSG). The DPO verifies both and keeps the position current. Without one, the control point is missing. The clock starts running from the moment of knowledge.

The Federal Data Protection Act (BDSG) provides its own fine provisions in § 43(1) and (2) that apply independently of GDPR fines. § 43(1) Federal Data Protection Act (BDSG) penalises minor violations — such as unlawful collection, failure to notify, or inadequate technical and organisational measures — with up to €50,000. § 43(2) Federal Data Protection Act (BDSG) sanctions serious violations, such as unauthorised transmission or processing for extraneous purposes, with up to €300,000.

In addition, the fine frameworks of Art. 83 GDPR apply: violations of fundamental principles, data subject rights, or international transfers can amount to up to €20 million or 4% of global annual turnover. Failure to appoint or incorrect appointment of a DPO under § 38 Federal Data Protection Act (BDSG) is a fineable offence under Art. 83(4)(a) GDPR with a fine framework of up to €10 million or 2% of annual turnover.

Supervisory authorities coordinate via the Data Protection Conference (DSK) and exchange proceedings. Fine proceedings are not only initiated following complaints; authorities also conduct investigations without cause, for example following publicly disclosed data breaches or in the context of sector-specific focus audits.

Decisive for the amount of the fine, alongside the gravity of the violation, is the quality of the documentation. Those who do not fulfil Art. 5(2) GDPR (accountability) effectively bear the burden of proof in fine proceedings. Companies with a complete audit trail and a verifiable appointment certificate are treated more leniently in practice.

Art. 33 GDPR obliges controllers to notify the competent supervisory authority of personal data breaches within 72 hours of becoming aware of them. The notification obligation applies where the breach is likely to result in a risk to the rights and freedoms of natural persons. The Federal Data Protection Act (BDSG) contains no divergent national provision; the 72-hour deadline applies without restriction to all private controllers in Germany.

The notification must contain at least the following under Art. 33(3) GDPR: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or planned to address the breach. If not all information is available at the time of notification, it may be submitted in stages under Recital 85 GDPR. However, the staged submission does not release the controller from the obligation to make an initial notification within the deadline.

The clock starts running from the moment of knowledge. The 72-hour deadline does not begin with the technical security incident but with the moment at which a responsible person classifies the incident as a notifiable data breach. Clear internal escalation rules and a named contact person are therefore critical. Companies without a DPO risk the moment of knowledge being recorded as later than the actual commencement of the deadline.

In addition, Art. 34 GDPR may trigger a notification obligation towards the data subjects affected, where there is a high risk. The externally appointed Data Protection Officer via CIVAC takes on the coordination: fact clarification, risk assessment, authority notification, and internal communication.

§ 38 Federal Data Protection Act (BDSG) and Art. 37 GDPR permit both internal and external Data Protection Officers. The decision depends on four criteria: expertise, independence, capacity, and cost. Those who honestly assess all four will in many cases conclude that an external DPO represents the safer and often more cost-effective solution.

Expertise: An internal DPO must know the essential standards and keep them continuously updated. Since data protection law is constantly evolving through new regulatory decisions, ECJ rulings, and changing processing forms, continuous professional development is mandatory — internally, this is often difficult to guarantee because day-to-day business and the DPO function compete for the same capacity.

Independence: Art. 38(6) GDPR prohibits conflicts of interest. An IT manager who simultaneously bears responsibility for the processing IT infrastructure cannot be an independent DPO. Supervisory authorities have challenged such dual functions on multiple occasions and declared the appointment invalid. External DPOs are by design free from instructions.

Capacity: The DPO must have sufficient time for his or her tasks (Art. 38(2) GDPR). The record of processing activities, DPIA reviews, training planning, and data breach handling typically require 20–40% of a full-time position in an SME. CIVAC offers both paths as a compliance platform and Officer-as-a-Service: licence the workspace for your internal officers or appoint our officers. The decision can also be made on a role-by-role basis and adjusted at any time when the internal qualification situation changes.

Federal Data Protection Act (BDSG) compliance is not a one-off project — it is an ongoing operational obligation. The record of processing activities under Art. 30 GDPR must be kept up to date; new processing operations require a data protection impact assessment under Art. 35 GDPR if they present a high risk. Consent processes must meet the requirements of Art. 7 GDPR; technical and organisational measures must be updated in line with the state of the art and reviewed regularly. These are not optional tasks — they are obligations with fine relevance.

Under Art. 39 GDPR, the DPO takes on responsibility for monitoring these tasks, advises management, and serves as the point of contact for supervisory authorities. For companies that maintain the DPO function internally, the CIVAC workspace offers a structured task list with due dates, 37 ready-made audit templates, and an AI assistant that answers questions about standards with a confidence score and source reference.

Others run compliance like a filing cabinet. We run it like software. The CIVAC workspace automates recurring cadences, logs every step in the audit trail, and exports the annual report on request. The audit date arrives — the report is ready.

For companies that cannot or do not wish to appoint a qualified internal DPO, CIVAC takes on the external appointment as a compliance platform and Officer-as-a-Service. Contract, appointment certificate, and workspace activation within two business days — audit-proof, documented, and § 38 Federal Data Protection Act (BDSG)-compliant.

Turn reading into action: write to info@civac.de or use the contact form at civac.de to discuss the DPO appointment or a workspace licence for your internal officer.