Germany

What are the penalties for GDPR violations?

Up to €20M
Max GDPR fine
4% turnover
Alternative GDPR cap
3 years
Max prison term
€50,000
Max BDSG fine
The Short Answer

GDPR violations in Germany can lead to criminal penalties (up to 3 years imprisonment) under BDSG § 42 or administrative fines up to €20 million or 4% of global annual turnover under EU GDPR — plus up to €50,000 for specific BDSG breaches.

What the Law Says

Germany enforces GDPR violations through both EU-level administrative penalties and national criminal and administrative sanctions under the Bundesdatenschutzgesetz (BDSG). While the GDPR sets the primary framework, the BDSG adds complementary German-specific penalties.

Under BDSG § 42, certain serious data protection violations are treated as criminal offenses. For example, knowingly disclosing non-public personal data of a large number of people to a third party without authorization — and doing so commercially — is punishable by up to three years’ imprisonment or a fine.

A second criminal offense under BDSG § 42 involves unauthorized processing of non-public personal data (e.g., by deception or for financial gain), punishable by up to two years’ imprisonment or a fine.

Importantly, these criminal provisions are only prosecuted upon complaint (Antrag), and only specific parties — such as the affected individual, the controller, the Federal Commissioner for Data Protection, or the supervisory authority — may file that complaint.

For less severe breaches, BDSG § 43 imposes administrative fines (Ordnungswidrigkeiten) — e.g., failing to properly respond to a data subject’s access request (§ 30 para. 1) or not informing a consumer correctly about data processing (§ 30 para. 2). These violations carry fines of up to €50,000.

Note: Public authorities (e.g., government agencies) cannot be fined under BDSG § 43 — though they remain fully liable under the GDPR’s higher penalty regime.

Statutory Text

Mit Freiheitsstrafe bis zu drei Jahren oder mit Geldstrafe wird bestraft, wer wissentlich nicht allgemein zugängliche personenbezogene Daten einer großen Zahl von Personen, ohne hierzu berechtigt zu sein, einem Dritten übermittelt oder auf andere Art und Weise zugänglich macht und hierbei gewerbsmäßig handelt.

BDSG § 42(1) — Criminal provisions for data protection violations
Statutory Text

Mit Freiheitsstrafe bis zu zwei Jahren oder mit Geldstrafe wird bestraft, wer personenbezogene Daten, die nicht allgemein zugänglich sind, ohne hierzu berechtigt zu sein, verarbeitet oder durch unrichtige Angaben erschleicht und hierbei gegen Entgelt oder in der Absicht handelt, sich oder einen anderen zu bereichern oder einen anderen zu schädigen.

BDSG § 42(2) — Criminal provisions for data protection violations
Statutory Text

Die Tat wird nur auf Antrag verfolgt. Antragsberechtigt sind die betroffene Person, der Verantwortliche, die oder der Bundesbeauftragte und die Aufsichtsbehörde.

BDSG § 42(3) — Criminal provisions for data protection violations
Statutory Text

Ordnungswidrig handelt, wer vorsätzlich oder fahrlässig entgegen § 30 Absatz 1 ein Auskunftsverlangen nicht richtig behandelt oder entgegen § 30 Absatz 2 Satz 1 einen Verbraucher nicht, nicht richtig, nicht vollständig oder nicht rechtzeitig unterrichtet.

BDSG § 43(1) — Administrative fines
Statutory Text

Die Ordnungswidrigkeit kann mit einer Geldbuße bis zu fünfzigtausend Euro geahndet werden.

BDSG § 43(2) — Administrative fines

What to Do

1

Report the violation to your local German data protection authority (e.g., LfDI Baden-Württemberg or BfDI for federal matters)

2

If you’re personally affected and the breach involved criminal conduct (e.g., commercial misuse of sensitive data), consider filing a formal complaint with the public prosecutor

3

Document all evidence — emails, screenshots, notices, and timelines — to support your report or complaint

4

Remember: Reporting a breach under GDPR Articles 33 or 34 does not waive your rights — those reports cannot be used against you in criminal or administrative proceedings without your consent

Sources

statuteBDSG § 42 — Criminal provisions for data protection violationsstatuteBDSG § 43 — Administrative fines

Related Questions

What can I do if a company has a data breach affecting me?Can I sue for damages after a data protection violation?What rights do I have under the GDPR in Germany?How do I exercise my right to access my personal data?

Same Question, Other Jurisdictions

SingaporeEuropean UnionUKSouth KoreaIndiaCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: June 2026.