German data protection authorities – the Datenschutzbehörden (data protection authorities, collectively referred to as the DPA network) – have sharpened their enforcement posture in 2025. Investigations have widened in scope, fines have grown in scale, and formal orders now reach companies with no physical presence in Germany. International businesses that treat GDPR compliance as a one-time project face real financial and reputational exposure.
Germany's federal and state DPAs have intensified coordinated enforcement actions targeting inadequate consent mechanisms, unlawful cross-border data transfers, and failures in data processor oversight. Affected businesses must review their compliance positions promptly, as several supervisory authorities have set explicit remediation deadlines of 30 to 90 days following initial contact. Companies that fail to respond within those windows risk formal corrective orders and escalating administrative fines under EU data protection legislation.
This alert identifies the specific regulatory developments, the business categories affected, and the immediate actions required to reduce exposure under German and EU data protection law.
What has changed: the regulatory developments
Germany's DPA network operates across 17 independent supervisory bodies – one federal authority and 16 state-level counterparts. In 2025, these authorities have coordinated enforcement in three distinct areas.
Consent mechanism audits. Multiple state DPAs have launched systematic reviews of cookie banners and consent management platforms used by websites directed at German users. The central finding is that pre-ticked boxes, deceptive design patterns, and bundled consent remain widespread. Authorities have issued formal warnings and, in repeated cases, administrative fines. A valid consent mechanism under EU data protection legislation must be freely given, specific, informed, and unambiguous. German DPAs now apply this standard strictly, with no tolerance for designs that nudge users toward acceptance.
International data transfer controls. The Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information) has reopened scrutiny of data transfers to third countries. particularly transfers relying on standard contractual clauses without accompanying transfer impact assessments. Authorities are examining whether the receiving country's legal system offers equivalent protection. Where assessments are absent or superficial, regulators have ordered suspension of transfers.
Data processor agreements. German DPAs have found that many data controllers. including subsidiaries of multinationals registered as a GmbH (Gesellschaft mit beschränkter Haftung. A German private limited company) in the Handelsregister (German Commercial Register). operate without compliant written agreements with their data processors. Under EU data protection legislation, a data controller must document all processing activities carried out on its behalf and bind processors to specific obligations. Absent or incomplete agreements are now a primary audit trigger.
For companies intersecting with AI-driven data processing, the interaction between data protection requirements and emerging AI regulation is particularly acute. Our analysis of AI and technology law in Germany addresses how these regulatory regimes intersect and what compliance steps companies should prioritise.
Who is affected: threshold criteria and business categories
The enforcement actions affect a broad range of organisations. The following categories face the highest immediate risk.
E-commerce and digital service providers targeting German consumers are subject to DPA jurisdiction regardless of where the company is incorporated. A business registered outside the EU that directs goods or services at German residents, or that monitors their behaviour, falls within the territorial scope of EU data protection legislation. This includes businesses with no German entity – even those without a GmbH or any other German registration.
SaaS and cloud companies acting as data processors for German clients bear direct obligations. Processor-side compliance gaps – inadequate security measures, sub-processor chains lacking written authorisation. Alternatively. Missing deletion protocols – have been cited in recent enforcement decisions by the Bundesgerichtshof (Federal Court of Justice of Germany) and lower courts including the Amtsgericht (local court) level when private damage claims have followed regulatory findings.
Financial and professional services firms handling sensitive personal data – including health information, financial profiles, or employment records – are subject to heightened scrutiny. DPAs have shown particular interest in profiling and automated decision-making processes used by fintech and insurtech companies.
Businesses undergoing restructuring. Companies in insolvency proceedings under the Insolvenzordnung (German Insolvency Act) are not exempt from data protection obligations. DPAs have confirmed that personal data held by insolvent entities remains subject to full protection requirements. An insolvency administrator inherits the data controller's compliance obligations.
The threshold for formal DPA action is not tied to company size. Small subsidiaries of international groups, mid-market operators, and digital startups have all received enforcement correspondence in the current cycle.
To receive an expert assessment of your company's data protection exposure in Germany, contact us at info@ferrazwhitmore.com.
What to do now: immediate actions and compliance deadlines
The following actions address the specific areas targeted in recent German enforcement activity. Each should be assigned to a responsible owner with a defined completion date.
- Audit your consent mechanism. Review all cookie banners and consent flows directed at German users. Confirm that no pre-selected options are present, that consent can be withdrawn as easily as it is given, and that each processing purpose is described individually. Remediation should be completed within 30 days of this alert.
- Complete or update transfer impact assessments. For every cross-border data transfer relying on standard contractual clauses, document the legal conditions in the receiving country. Where the assessment identifies risk, implement supplementary measures or suspend the transfer. DPAs have set 60-day remediation windows in several recent proceedings.
- Verify data processor agreements. Identify every vendor, cloud provider, or service partner that processes personal data on your instructions. Confirm that written data processing agreements are in place, current, and include all required clauses under EU data protection legislation – including provisions governing sub-processors and data deletion.
- Map your processing register. A current record of processing activities is a prerequisite for demonstrating GDPR compliance. Controllers and processors meeting the relevant size or activity thresholds under data protection legislation are required to maintain this record. Review it now against your actual systems and data flows.
- Designate or confirm your Data Protection Officer. German law requires certain categories of data controllers and processors to appoint a Datenschutzbeauftragter (Data Protection Officer). If your organisation processes data at scale, handles sensitive categories, or carries out systematic monitoring, verify whether this obligation applies and whether the appointment meets current requirements.
For a tailored strategy on GDPR compliance and data protection obligations in Germany, reach out to info@ferrazwhitmore.com.
Companies managing data protection compliance across multiple EU jurisdictions will also find relevant guidance in our alert on data protection enforcement in Portugal, which addresses parallel regulatory developments under Portuguese supervisory authority oversight.
For a comprehensive overview of the firm's data protection practice and the full range of compliance services available for German-market operations, visit our page on data protection law in Germany.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection and technology practice supports international businesses, GmbH subsidiaries, and digital service providers in building and maintaining GDPR-compliant operations across Germany and the wider EU. As a law firm in Germany and across Europe, we combine Portuguese civil law expertise with English common law tradition to deliver practical cross-border compliance counsel. Our team includes practitioners with experience before German DPAs, the EU data protection supervisory network, and in data transfer and consent mechanism disputes. Engaging a lawyer in Germany with cross-border experience is particularly valuable when enforcement actions span multiple jurisdictions or involve processors and controllers in different legal systems. To discuss your data protection situation in Germany, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.