BDSG — German Federal Data Protection Act

A mid-sized construction company analyses the time-tracking data from its site access system to identify break-time violations. The works council files a complaint, the supervisory authority asks for details. What is demanded: the legal basis under section 26 BDSG, the works agreement, and proof that the analysis was necessary and proportionate. Without this documentation the case does not hold — the authority prohibits the analysis and considers a fine.

The Federal Data Protection Act (BDSG) supplements the GDPR under German law. It uses the opening clauses of the regulation, governs the national supervisory authorities and concretises topics such as employee data protection, video surveillance and data processing by security authorities. For every organisation in Germany, GDPR compliance remains incomplete without knowledge of the BDSG.

Who is affected?

The BDSG applies to every organisation that processes personal data in Germany. It supplements the GDPR without replacing it. Concretely, it covers:

Non-public bodies — companies, associations, foundations, freelancers. The key provision is section 1(4) BDSG.
Federal public bodies — federal ministries, federal authorities, federal corporations.
Employees in Germany — section 26 BDSG is the central norm for processing employee data.
Processors based in Germany — even if the controller is based abroad.

For public bodies of the federal states (Länder), the respective state data protection laws apply. These largely follow the BDSG structure but differ in detail.

What does the law require?

The BDSG fills the GDPR’s opening clauses with national law. The key requirements:

Appointment of a Data Protection Officer (section 38) — mandatory from 20 people regularly engaged in automated processing. The appointment must be in writing and reported to the supervisory authority.
Employee data protection (section 26) — processing for employment purposes is permitted where it is necessary. Additional hurdles apply for the detection of criminal offences.
Video surveillance (section 4) — publicly accessible spaces may only be monitored under strict conditions, with signage and deletion after the purpose is achieved.
Commitment to data secrecy (section 53) — applies to employees of public bodies; in the private sector, the commitment runs through section 26 BDSG and Art. 32 GDPR in the employment contract.
Rights to access, deletion and objection (sections 32–37) — concretises the GDPR data subject rights under German law and defines exceptions.
Credit checks and scoring (section 31) — conditions for calculating probability values on creditworthiness.
Penalty provisions (section 41 ff.) — separate sanctioning offences for German violations in addition to the GDPR penalty framework.

In practice

Treat DPO appointment as an ongoing task. The “20 people” threshold is easily overlooked in growing organisations. Once the threshold is permanently exceeded, the appointment obligation applies. The appointment can be made up informally, but the violation itself can still trigger a fine. When outsourcing to an external DPO, management retains responsibility.

Coordinate employee data protection with the works council. Every analysis of employee data — time tracking, email logs, workplace video surveillance — should rest on a documented legal basis. The works council’s co-determination right under section 87 BetrVG runs in parallel to data protection law. A works agreement can clarify the requirement of necessity.

Document the commitment to data secrecy. Every new employee who receives access to personal data is bound to data secrecy. In practice this is done in the employment contract or via a separate form, often combined with initial data protection training.

Mapping to ISO 27001

The BDSG requirements overlap substantially with the ISO 27001 Annex A catalogue, particularly on the TOMs from Art. 32 GDPR and personnel-related security.

Directly relevant controls:

A.5.34 — Privacy and protection of personally identifiable information: central bridge for all data protection requirements, including BDSG specifications.
A.6.6 — Confidentiality or non-disclosure agreements: technical implementation of the commitment to data secrecy.
A.6.3 — Information security awareness, education and training: initial data protection training and annual refreshers.
A.5.13 — Labelling of information: classification of employee and customer data.
A.5.14 — Information transfer: secure transmission in response to access requests.
A.5.24 — Information security incident management planning and preparation: prerequisite for breach notification to the German supervisory authorities.
A.7.10 — Storage media: secure disposal of personnel files and storage media.
A.8.10 — Information deletion: implementing deletion obligations after the end of employment.
A.8.11 — Data masking: pseudonymisation in HR analytics.
A.8.24 — Use of cryptography: encryption of personnel files and payroll data.

Typical audit findings

DPO appointment missing or not reported — the supervisory authority has not been informed or the appointment is not documented in writing.
Data secrecy commitment only in the employment contract, without proof — no separate signature, no annual refresher.
Video surveillance without signage or balancing test — recordings are stored too long, the purpose is not documented.
Employee data analysis without legal basis — email logs, time-tracking analyses, location data without a works agreement and without documented necessity.
Applicant data stored too long — the supervisory authorities recommend six months after rejection; many organisations keep applications for years.
Outsourcing to an external DPO without clear resource arrangements — the external DPO formally holds the role but has no hours, no access, no effectiveness.

Sources

BDSG full text (Gesetze im Internet) — official version of the Federal Ministry of Justice
German Data Protection Conference (DSK) — resolutions and guidance from the German supervisory authorities
BfDI — Federal Commissioner for Data Protection — supervisory authority for federal bodies, postal services and telecommunications
Federal Labour Court on employee data processing — case law on section 26 BDSG

ISO 27001 Controls Covered

A.5.34 Privacy and protection of PII A.5.13 Labelling of information A.5.14 Information transfer A.5.24 Information security incident management planning and preparation A.5.32 Intellectual property rights A.5.36 Compliance with policies, rules and standards for information security A.6.3 Information security awareness, education and training A.6.6 Confidentiality or non-disclosure agreements A.7.10 Storage media A.8.10 Information deletion A.8.11 Data masking A.8.24 Use of cryptography

Frequently asked questions

When must I appoint a Data Protection Officer under the BDSG?

As soon as at least 20 people in the organisation are regularly engaged in the automated processing of personal data (section 38(1) BDSG). The obligation also applies regardless of size if a Data Protection Impact Assessment is required or if personal data is processed commercially for the purpose of transfer.

What does the BDSG regulate that the GDPR does not already cover?

The BDSG makes use of the GDPR's opening clauses and concretises German law: employee data protection (section 26), video surveillance (section 4), scoring and credit checks (section 31), the threshold for DPO appointment, and data processing by security authorities. It also governs the work of the German supervisory authorities.

Does employee data protection under section 26 BDSG still apply after the ECJ ruling?

In 2023 the ECJ declared the Hessian parallel provision incompatible with EU law; section 26 BDSG has since been partly exposed to challenge. Until a legislative update, supervisory authorities continue to base employee data processing pragmatically on section 26 in conjunction with Art. 6 GDPR. Careful documentation stays on the safe side.