Germany

What rights do I have under the GDPR in Germany?

72 hours
Breach notification deadline for controllers
€20M
Max GDPR fine per violation
3 years
Limitation period for damages claims
1 month
Standard response time for requests
The Short Answer

You have strong GDPR rights in Germany—including access, correction, deletion, restriction, portability, and objection—as reinforced by the German Federal Data Protection Act (BDSG). You can also claim damages for violations.

What the Law Says

Your GDPR rights apply directly in Germany, supplemented by the Bundesdatenschutzgesetz (BDSG), which tailors EU rules to national needs. The BDSG does not replace the GDPR but fills gaps—especially for non-public bodies and specific public-sector processing.

Under the GDPR (Regulation (EU) 2016/679), you have eight core rights as a data subject: the right to be informed; access; rectification; erasure ('right to be forgotten'); restriction of processing; data portability; objection; and rights related to automated decision-making and profiling.

The BDSG applies alongside the GDPR. Section 1 clarifies its scope: it governs both public and non-public entities processing personal data in Germany — including when they fall under GDPR jurisdiction, even without a physical establishment in the EU (e.g., offering goods/services to Germans). It explicitly defers to the GDPR where EU law applies directly.

BDSG § 83 provides your legal basis to claim compensation. If a controller unlawfully processes your data and causes damage—even non-material harm like distress—you may demand appropriate monetary compensation. Liability is strict for automated processing; for non-automated processing, fault must be proven.

Statutory Text

Dieses Gesetz findet Anwendung auf öffentliche Stellen. Auf nichtöffentliche Stellen findet es Anwendung, sofern der Verantwortliche oder Auftragsverarbeiter personenbezogene Daten im Inland verarbeitet, die Verarbeitung personenbezogener Daten im Rahmen der Tätigkeiten einer inländischen Niederlassung des Verantwortlichen oder Auftragsverarbeiters erfolgt oder der Verantwortliche oder Auftragsverarbeiter zwar keine Niederlassung in einem Mitgliedstaat der Europäischen Union oder in einem anderen Vertragsstaat des Abkommens über den Europäischen Wirtschaftsraum hat, er aber in den Anwendungsbereich der Verordnung (EU) 2016/679 [...] fällt.

BDSG § 1 — Federal Data Protection Act
Statutory Text

Hat ein Verantwortlicher einer betroffenen Person durch eine Verarbeitung personenbezogener Daten, die nach diesem Gesetz oder nach anderen auf ihre Verarbeitung anwendbaren Vorschriften rechtswidrig war, einen Schaden zugefügt, ist er oder sein Rechtsträger der betroffenen Person zum Schadensersatz verpflichtet.

BDSG § 83 — Federal Data Protection Act

What to Do

1

Submit a written or electronic request to the controller (e.g., company or authority) specifying which right(s) you’re exercising.

2

Keep proof of submission (e.g., email receipt or registered mail tracking number).

3

If ignored or denied, file a complaint with the competent German supervisory authority (e.g., LfDI Baden-Württemberg or BfDI for federal matters).

4

For material or non-material damage, consult a lawyer to pursue compensation under BDSG § 83 — claims must be filed within 3 years.

Sources

statuteBDSG § 1 — Scope of the Federal Data Protection ActstatuteBDSG § 83 — Right to compensation for damages

Related Questions

Can I request a company to delete all my personal data?How do I exercise my right to access my personal data?Can I sue for damages after a data protection violation?Can I object to my data being used for advertising?

Same Question, Other Jurisdictions

IrelandEuropean UnionUKCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: June 2026.