Germany

What is the difference between BDSG and GDPR?

EU-wide
GDPR applicability
Germany-only
BDSG applicability
Article 23
GDPR provision allowing national laws
§ 1(5)
BDSG clause on GDPR primacy
The Short Answer

The GDPR is a binding EU regulation that applies directly across all member states, while the BDSG is Germany’s national law that supplements the GDPR with specific national rules — especially for public authorities, employment, and criminal law contexts.

What the Law Says

The GDPR (Regulation (EU) 2016/679) is a directly applicable EU law setting minimum standards for personal data protection across all member states. The BDSG (Bundesdatenschutzgesetz) is Germany’s federal data protection law, revised in 2018 to align with and complement the GDPR — filling in areas where the GDPR explicitly permits national legislation.

The GDPR applies uniformly across the EU and takes precedence over national laws wherever it regulates a matter directly. As stated in BDSG § 1(5): 'Die Vorschriften dieses Gesetzes finden keine Anwendung, soweit das Recht der Europäischen Union, im Besonderen die Verordnung (EU) 2016/679 in der jeweils geltenden Fassung, unmittelbar gilt.' This means the BDSG does not apply where the GDPR already fully governs a situation.

However, under GDPR Article 23, member states may introduce national rules for specific situations — such as national security, criminal investigations, or employment. The BDSG exercises this option: it adds detailed rules for public authorities (§ 1(1)), employee data processing, journalistic exemptions, and data processing by courts and prosecutors — areas where the GDPR permits national discretion.

BDSG § 1(4) clarifies its territorial scope: it applies to non-public entities only when they process personal data in Germany, operate a domestic establishment, or fall under GDPR’s extraterritorial reach — reinforcing that the GDPR remains the primary framework.

Statutory Text

Die Vorschriften dieses Gesetzes finden keine Anwendung, soweit das Recht der Europäischen Union, im Besonderen die Verordnung (EU) 2016/679 in der jeweils geltenden Fassung, unmittelbar gilt.

BDSG § 1(5) — Federal Data Protection Act

What to Do

1

Check whether your data processing activity falls under GDPR’s direct rules (e.g., lawful basis, data subject rights, breach reporting).

2

If operating in Germany, consult BDSG for national additions — especially for HR data, public administration, or criminal law contexts.

3

Ensure your privacy notices and legal bases reflect both GDPR requirements and any applicable BDSG provisions (e.g., § 26 BDSG for employment).

4

Appoint a Data Protection Officer if required under GDPR *or* BDSG — e.g., BDSG § 38 mandates one for certain public bodies beyond GDPR thresholds.

Sources

statuteBDSG § 1 — Scope of the Federal Data Protection Act

Related Questions

What rights do I have under the GDPR in Germany?Can I request a company to delete all my personal data?How do I exercise my right to access my personal data?What are the penalties for GDPR violations?

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: June 2026.