Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial emblem — DEStylized flag-color motif for editorial reference. Not an official symbol.DE
Germany Bundesrepublik Deutschland

WEB ANALYTICS · COOKIE COMPLIANCE · WESTERN EUROPE · DE

Germany — analytics & cookie compliance reference

What you can run on a German-targeted website without a fine — GA4, cookies, vendor stack, and the rules behind them. Federal + 16 state DPAs · among the strictest cookie regimes in the EU.

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Germany. Sectoral rules (healthcare, banking, employment) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

BDSG  Stricter
Bundesdatenschutzgesetz
Federal implementation of GDPR opening clauses + special-categories + employee data + DPO threshold + criminal penalties. Note: ECJ C-34/21 (30 Mar 2023) declared § 26(1) sentence 1 BDSG europarechtswidrig as a general clause — employers fall back on GDPR Art 6(1)(b)/(f) until reform resumes.
  • § 22 Special-category data — German-specific permissions (employment, social security, public health)
  • § 26 Employee data — necessity for employment relationship; works-council interaction
  • § 38 DPO threshold — mandatory at ≥20 employees regularly engaged in automated processing
  • § 42 Criminal liability — up to 3 years' imprisonment for intentional commercial mishandling
BDSG 2018 (BGBl. I 2017 Nr. 44, S. 2097), latest enacted amendment June 2021 (JIT-Anpassungsgesetz). 2023/2024 reform draft pending — shelved with Bundestag dissolution.
TDDDG  Stricter
Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz
Cookies + terminal-equipment access + electronic communications privacy. Section 25 transposes ePrivacy Art 5(3) — strictest reading in the EU.
  • § 25(1) Storage / read access on terminal equipment requires prior, informed, granular consent
  • § 25(2) Strictly-necessary exception — narrowly construed; analytics/marketing/A-B testing never qualify
  • § 26 2025 Consent Management Ordinance — approved CMP services
BGBl. 2024 I Nr. 149 (renamed 14 May 2024 from TTDSG to align with EU Digital Services Act)
UWG § 7
Gesetz gegen den unlauteren Wettbewerb
Direct marketing — email/SMS opt-in (double-opt-in standard per BGH I ZR 218/07). GDPR legitimate-interest does not cure UWG breach.
  • § 7(2) Email/SMS marketing — prior express opt-in required
  • § 7(3) Soft opt-in — narrow exception for existing-customer + similar products + opt-out at every contact
Federal Act Against Unfair Competition

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
BfDI · Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Federal bodies + telecoms + postal services + Bundeswehr only
https://www.bfdi.bund.de/EN/Home/home_node.html

State / Land DPAs · 17 authorities

Land / stateAuthorityNote
Baden-Württemberg LfDI BW Most aggressive on TIA + Schrems II site ↗
Bavaria (private) BayLDA Cookie-banner sweeps; private sector only site ↗
Bavaria (public) BayLfD Public bodies only — Bavaria's two-DPA anomaly site ↗
Berlin BlnBDI Active on representative-Art 27 site ↗
Brandenburg LDA Brandenburg site ↗
Bremen LfDI Bremen site ↗
Hamburg HmbBfDI H&M €35.3M (2020) site ↗
Hesse HBDI Hessen site ↗
Mecklenburg-Vorp. LfD MV site ↗
Lower Saxony LfD Niedersachsen Notebooksbilliger.de €10.4M (2021, overturned) site ↗
North Rhine-Westp. LDI NRW site ↗
Rhineland-Palatinate LfDI RLP site ↗
Saarland LfDI Saarland site ↗
Saxony Sächsische DSTB Sächsische Datenschutz- und Transparenzbeauftragte site ↗
Saxony-Anhalt LfD Sachsen-Anh. site ↗
Schleswig-Holstein ULD site ↗
Thuringia TLfDI site ↗

Coordination body

DSK · Datenschutzkonferenz
Federal–state coordination body. Non-binding but de facto authoritative.
  • 2020-05-26 · Google Analytics — DSK Beschluss 'Hinweise zum Einsatz von Google Analytics im nicht-öffentlichen Bereich' — default deployments require explicit consent + supplementary measures.
  • 2023-03-22 · Pur-Abo / Consent-or-Pay — DSK Beschluss assessing pay-walled news models — strict interpretation of voluntary consent.
  • 2024-04 · Consent Mode v2 — Cookieless pings still constitute access to terminal equipment under TDDDG §25 — consent required.
https://www.datenschutzkonferenz-online.de/

Notable enforcement

Germany ranks consistently in the top 3 EU member states by GDPR fine volume. Outcomes matter as much as headline amounts — multiple high-profile fines have been reduced or overturned on appeal (Deutsche Wohnen, Notebooksbilliger, 1&1). The ECJ Case C-807/21 (Deutsche Wohnen) clarified the 'undertaking' concept under Art 83 and undermined the German strict-attribution doctrine — fines must now consider the corporate group's total turnover.

  1. 2025-06 €45.0M
    Vodafone GmbH BfDI · Art 28, 32 stood

    €15M for partner-agency oversight failures + €30M for MeinVodafone authentication weaknesses. Largest German GDPR fine to date.

  2. 2020-10 €35.3M
    H&M Hennes & Mauritz HmbBfDI · Art 5, 6, 9 stood

    Employee surveillance at Nuremberg service centre — health and family-circumstance notes on shared drive. Largest German GDPR fine until 2024.

  3. 2019-10 €14.5M
    Deutsche Wohnen BlnBDI · Art 5, 25 annulled-then-rebooted

    Tenant data retention beyond purpose. Annulled by Berlin Regional Court 2021 (no corporate-group attribution); reinstated logic via ECJ Case C-807/21 (2023).

  4. 2021-01 €10.4M
    Notebooksbilliger.de LfD Niedersachsen · Art 5, 6 reduced

    Video surveillance of employees and customers without sufficient legal basis. OLG Celle reduced fine to €2.94M (2023) citing 2019/2020 legal uncertainty + EDPB May-2023 guidelines.

  5. 2019-10 €9.6M
    1&1 Telecom BfDI · Art 32 reduced

    Insufficient telephone-authentication procedure exposing customer data. Reduced to €900K by LG Bonn 2020 — landmark ruling that DPA daily-rate calculation was disproportionate.

  6. 2022-07 €1.1M
    Volkswagen LfD Niedersachsen · Art 13 stood

    Test-vehicle data — drivers not informed about location/identity tracking systems.

GA4 status

GA4 is usable in Germany only with prior, explicit, granular consent under TDDDG § 25. After EU-US DPF (Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. State DPAs continue to vary in posture.

DPAStance
BfDIPermissive post-DPF — transfers lawful with DPF + explicit consent.
LfDI BWMost aggressive — requires documented TIA even under DPF; supplementary measures expected.
BayLDACookie-banner sweeps prioritized; consent layer must satisfy TDDDG § 25 strictly.
BlnBDIWarnings issued, no fines yet; monitoring DPF stability.

Cross-border transfers + Schrems II

Germany was the most active EU member state on Schrems II enforcement pre-DPF. Post-DPF (10 Jul 2023) BfDI accepts adequacy for DPF-certified US importers. LfDI BW remains the strictest TIA reviewer; controllers still expected to document supplementary measures and FISA 702 risk analysis even with DPF.

EU 2021/914 SCCs remain the fallback when DPF certification is absent or revoked. German DPAs scrutinize Module 2 (controller-processor) onward-transfer clauses heavily.

Topic: International transfers

Employee data

Key thresholds

DPO mandatory at
≥20 employees
Child consent age
16 years
Article 27 representative
Required
Marketing consent
Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 12 · 6 green · 5 yellow · 1 red
VendorStatusRationale
 GREEN Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII).
 GREEN Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config.
 GREEN EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany.
 GREEN German-hosted, cookieless, GDPR-aligned by design.
 GREEN EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required.
 GREEN Open-source, cookieless, fully self-hostable. Default-green when self-hosted.
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW Default config sends data to US infrastructure. Needs Consent Mode v2 + IP anonymization + DPF active + signed DPA + reject-all banner. Server-side EU proxy moves to green.
 YELLOW EU residency available on paid plans; default cloud is US. Identifies users by default — needs config.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Tag managers · 1 · 0 green · 1 yellow · 0 red
VendorStatusRationale
 YELLOW Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended.
Session replay · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Full session capture — highest-risk category. Explicit consent + DPIA + strict retention.
 RED Session replay — high-risk processing per EDPB Guidelines 3/2019. DPIA + explicit consent required. Cannot run pre-consent.
 RED Session replay + Microsoft tracking. DPIA + explicit consent required.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Germany vs France
COMPARE
Germany vs Austria
COMPARE
Germany vs Switzerland
COMPARE
Germany vs Netherlands

Common questions

Is Google Analytics legal in Germany in 2026?
Yes, conditionally. GA4 is usable in Germany only with prior, explicit, granular consent under TDDDG §25. After EU-US DPF (10 Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. Without consent or with DPF lapse, German DPAs treat GA4 as non-compliant.
Do I need a German DPO?
Mandatory under § 38 BDSG when ≥20 employees are regularly involved in automated processing — far below GDPR's general threshold. The headcount includes part-timers, contractors handling personal data, and externalized roles. Most German SMBs need a DPO.
Which DPA is competent for my company?
Federal bodies, telecoms, postal services, and Bundeswehr → BfDI. Private-sector controllers → the Land DPA where you are established (your Sitz). Bavaria has two DPAs (BayLDA for private, BayLfD for public). Cross-border processors with multiple establishments use the GDPR One-Stop-Shop lead-DPA mechanism.
What's the difference between BDSG and GDPR?
GDPR is the EU regulation; BDSG is Germany's national implementation that fills GDPR opening clauses. Key BDSG-only rules: § 38 (DPO at ≥20 employees), § 26 (employee data + works-council interaction), § 22 (special-category permissions for employment/social security/public health), § 42 (criminal liability up to 3 years' imprisonment for intentional commercial mishandling).
What changed when TTDSG was renamed TDDDG?
Effective 14 May 2024, TTDSG was renamed TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) to align with the EU Digital Services Act. The substantive § 25 cookie-consent rules are unchanged. The 2025 Consent Management Ordinance adds approved CMP services for cookie-flood relief, but does not displace the underlying opt-in baseline.
Is 'legitimate interest' a valid basis for analytics in Germany?
No, for non-essential analytics that store or read on terminal equipment. TDDDG § 25 is independent of GDPR Art 6 — it requires opt-in consent for any non-strictly-necessary cookie or device-storage technology, regardless of GDPR lawful basis. § 25 governs the cookie/tracking layer; GDPR governs subsequent processing.
What about the Betriebsrat (works council) and analytics tools?
BetrVG § 87(1)(6) gives works councils mandatory co-determination over any 'technical device suitable to monitor' employee behavior — which includes most analytics, productivity, HR, and IT-monitoring tools. Deployment requires a works-council agreement (Betriebsvereinbarung). This is independent of GDPR consent and frequently overlooked in German rollouts.
Do I need a German Article 27 representative?
Yes if you are a non-EU controller offering goods/services to or monitoring behavior of people in Germany (or any EEA state), unless the small-business exception in Art 27(2) applies. Several Länder DPAs (notably BlnBDI) have actively pursued non-designation.
What language must my privacy notice be in?
DSK position: notices in German for German-targeted sites — English-only is insufficient. The targeting test mirrors GDPR Art 3(2) — German-language website, .de domain, EUR pricing, German-language marketing, etc. all signal targeting.
Does Schrems II still affect transfers post-DPF?
Yes for non-DPF transfers. The DPF restored adequacy for DPF-certified US importers (renewed by EU General Court Sep 2025, T-553/23). For non-DPF US recipients, Schrems II logic still applies — Transfer Impact Assessment + supplementary measures required. German DPAs (especially LfDI BW) continue to scrutinize TIAs even with DPF as a defensive measure.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Germany's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.