Germany applies GDPR more strictly than most EU member states. Its data protection authorities are active, well-funded and have issued significant fines against companies of all sizes. More immediately, German competitors routinely monitor new websites for compliance gaps and send cease-and-desist letters (Abmahnungen) as a commercial strategy.
This guide is for companies - particularly international ones - that need to understand exactly what their website must comply with before going live in the German market.
Does GDPR Apply to Your Website in Germany?
The short answer is: probably yes, even if your company isn't based in Germany.
GDPR Article 3 establishes the "targeting criterion": the regulation applies when you process personal data of individuals in the EU, and either (a) your processing is related to offering goods or services to EU residents, or (b) you monitor the behaviour of EU residents.
In practice, this means GDPR applies to your website if:
- You target German users with German-language content
- You display Euro pricing
- You use a .de domain
- You accept German payment methods
- Your contact form or newsletter collects data from German residents
Having a non-German company registration does not exempt you. If you're actively targeting German users, you're in scope.
What German GDPR Enforcement Actually Looks Like
Germany has 16 state-level data protection authorities (Landesdatenschutzbehörden), each with enforcement powers. The most active include the Bavarian State Office for Data Protection Supervision (BayLDA), the Hamburg Commissioner for Data Protection and Freedom of Information, and the Baden-Württemberg State Commissioner.
In addition to regulatory enforcement, Germany has a unique civil enforcement mechanism: competitors can issue Abmahnungen (warning letters) under German Telemedia Law (TMG) for violations of the Impressum requirement - which is a parallel legal obligation alongside GDPR, not part of it. An Abmahnung typically demands €800-€2,500 in lawyer fees and a signed injunction agreeing not to repeat the violation.
Notable enforcement actions relevant to websites:
- German courts have ruled that loading Google Fonts from Google's servers (rather than self-hosting) violates GDPR, even without cookies (LG München I, 2022)
- The LfDI Baden-Württemberg issued guidance that many common cookie banners are non-compliant because they make rejection harder than acceptance
- Multiple companies have been fined for operating contact forms that process data without a valid legal basis or without adequate Datenschutzerklärung
The Core Website Requirements
1. Impressum (Legal Imprint)
This is a German Telemedia Law (TMG) requirement, not a GDPR requirement - but it's enforced aggressively and is often the first thing competitors check. Every commercial website must display a complete legal notice reachable within two clicks from any page, containing:
- Full legal name and business form (e.g., "Ventas Webdesign CLG" not just "Ventas")
- Complete postal address - P.O. boxes are not accepted
- Direct contact: phone number or email address (a contact form alone is not sufficient)
- VAT ID (Umsatzsteuer-Identifikationsnummer) if applicable
- Commercial register number and court if registered
- For regulated professions: professional title, licensing authority, professional liability insurance
This applies to foreign company websites targeting Germany. If your company is registered in the UK, Ireland or the US but your website targets German users, you need a German Impressum.
2. Datenschutzerklärung (Privacy Policy)
Your privacy policy must be specific to your site. Generic template privacy policies that list tools you don't use - or don't mention tools you do use - are a compliance problem. A correct Datenschutzerklärung must cover:
- What personal data you collect (contact form data, log files, analytics, cookies)
- The legal basis for processing each category (GDPR Article 6)
- How long data is retained
- With whom data is shared (hosting providers, analytics tools, email processors)
- User rights: access, rectification, erasure, restriction, portability, objection
- Contact details for your data protection officer (if required) or the responsible person
- The right to lodge a complaint with a supervisory authority
3. Cookie Consent
Non-essential tracking scripts and cookies cannot load until the user actively accepts. The valid consent standard in Germany is high:
- The banner must offer a genuine, easy reject option - equal in prominence to the accept option
- Pre-ticked boxes are invalid
- "Continued browsing constitutes consent" is invalid
- Consent must be logged with a timestamp and unique identifier
- Users must be able to withdraw consent as easily as they gave it
Tools that trigger consent requirements: Google Analytics (including GA4), Google Tag Manager, Meta Pixel, LinkedIn Insight Tag, Hotjar, any advertising network script, Google Fonts loaded from Google's servers, YouTube embeds with standard iframes, Google Maps iframes.
4. Data Processing Agreements (AVV)
Under GDPR Article 28, you must have a written data processing agreement with every service provider that processes personal data on your behalf. For a standard business website, this typically means:
- Your web hosting provider
- Your web agency (if they have access to your contact form data or analytics)
- Google Analytics / Google Workspace
- Email marketing platforms (Mailchimp, ActiveCampaign, etc.)
- Any CRM that receives website enquiry data
Most major providers (Google, AWS, Hetzner, IONOS) offer standard AVV documents in their account settings. Make sure you've activated them.
Pre-Launch Compliance Checklist
- Impressum complete and reachable within two clicks from every page
- Datenschutzerklärung specific to your site - covers all actual tools and data flows
- Cookie consent banner with genuine, equally accessible accept and reject options
- Google Fonts self-hosted or replaced with system fonts
- Google Analytics blocked until consent - not just anonymised, but blocked entirely until accept
- Contact form with mandatory DSGVO consent checkbox
- Data processing agreements signed with hosting provider, agency and analytics tools
- SSL certificate active - all pages served over HTTPS
- Consent withdrawal mechanism - users can change their cookie settings after initial decision
- Newsletter double opt-in if you have email signup (required by German courts)
What We Handle Automatically
Every website we build includes GDPR compliance as a default, not an add-on:
- Impressum drafted for your specific business form and jurisdiction
- Datenschutzerklärung specific to your site's actual tools and data flows
- Cookie consent solution blocking all non-essential scripts until acceptance
- Google Fonts self-hosted from your server
- Google Analytics configured with consent mode, blocked until acceptance
- Contact forms with mandatory DSGVO consent and EU-only data processing
- Data processing agreement offered to all clients as standard
We explain each element in plain English. You review, approve and we go live. See our web design for expats and English-speaking web design pages for more on how we work.
FAQ
Does GDPR apply to foreign companies with websites targeting Germany?
Yes. GDPR applies whenever a website processes personal data of people in the EU, regardless of where the company is headquartered. If your website targets German users - German language, Euro pricing, .de domain, German address in the footer - German data protection law and GDPR apply in full, including the Impressum requirement under German Telemedia Law.
What is the difference between GDPR and German DSGVO?
DSGVO is the German name for the EU's GDPR regulation. They refer to the same EU law. Germany has additionally enacted the Federal Data Protection Act (BDSG) which adds national specifics on top, including stricter rules around employee data processing. For most business websites, GDPR/DSGVO is the primary framework.
What happens if my website doesn't comply with GDPR in Germany?
Data protection authorities can fine up to €20 million or 4% of global annual revenue. More immediately, competitors can issue Abmahnung warning letters for Impressum violations, typically demanding €1,000–€3,000 in legal fees plus an injunction. Individual users can file complaints with state data protection authorities.
Do I need a data processing agreement with my web agency?
Yes. If your agency processes personal data on your behalf - hosting your site, accessing contact form submissions or managing analytics - you need a written data processing agreement (Auftragsverarbeitungsvertrag, AVV) under GDPR Article 28. Reputable German web agencies offer this as standard. Ask before you sign a contract.