Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Germany: TTDSG enters into force

The Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia ('TTDSG') entered into force on 1 December 2021.

In particular, the TTDSG regulates the protection of confidentiality and privacy when using telecommunications services and telemedia services, such as websites, messengers, or smart home devices, and also changes the legal framework for the use of cookies and comparable technologies, implementing the requirements of the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) ('the ePrivacy Directive') into national law. Moreover, the TTDSG applies in addition to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

Additionally, under Section 25(1) of the TTDSG, operators of websites and other telemedia generally require the consent of the user if they want to store or access information on the end device. Moreover, under Section 25(2) of the TTDSG, consent is only exceptionally not required if the storage of and access to information in the terminal equipment is absolutely necessary in order to provide a telemedia service expressly desired by the user.

Furthermore, with the TTDSG's provisions now effective, regional German data protection authorities have released statements on the TTDSG outlining important clarifications, as summarised below.

Berlin

The Berlin data protection authority ('Berlin Commissioner') issued, on 1 December 2021, a press release on the TTDSG. In particular, the Berlin Commissioner stated that, for example, a cookie that is used to store items from an online shop in a shopping cart is exempted from consent under the TTDSG as it would be considered 'strictly necessary'.

You can read the press release, only available in German, here.

Hamburg

The Hamburg Commissioner for Data Protection and Freedom of Information ('HmbBfDI') issued, on 30 November 2021, a press release on the entry into force of the TTDSG. In particular, the HmbBfDI highlighted, among other things, that consent under the TTDSG and the GDPR can be obtained at the same time.

Moreover, the HmbBfDI outlined that the wording of the exceptions is to be interpreted narrowly. For instance, with regard to Section 25(2)(2) of the TTDSG, the HmbBfDI clarified that the phrase 'absolutely necessary' is to be understood as a technical, but not an economic, necessity, and that reach measurement, user tracking for advertising purposes, and similar practices are generally not absolutely necessary.

You can read the press release, only available in German, here.

Saxony

The Saxon data protection authority ('SächsDSB') issued, on 30 November 2021, a statement on the TTDSG. In particular, the SächsDSB outlined that website and app operators should urgently check the use of cookies and other technologies and revise the exact design of such technologies and their necessity. In addition, the SächsDSB stated that the type and duration of the storage, as well as the subsequent processing carried out, must meet the requirements of both the TTDSG and the GDPR.

You can read the press release, only available in German, here.

Lower Saxony

The Lower Saxony data protection authority ('LfD Niedersachsen') published, on 1 December 2021, frequently asked questions on the TTDSG ('FAQs'). In particular, the FAQs outline that pursuant to Section 29(1) of the TTDSG, the Federal Commissioner for Data Protection and Freedom of Information ('BfDI') is responsible for data protection in the commercial provision of telecommunications services, regardless of the federal state in which the telecommunications service provider has its registered office.

Additionally, the FAQs highlight that all operators should check whether cookies or third-party services are used on their websites without effective consent, and if this is the case, it must be further clarified whether these are cookies or services for which the exception according to Section 25(2)(2) of the TTDSG applies. Moreover, if there is uncertainty regarding this legal assessment, the cookie or third-party service should be deactivated until clarification is provided. Lastly, the FAQs outline that the TTDSG contains its own regulation on fines in Section 28 and according to this, violations of Sections 19 to 25 of the TTDSG generally constitute an administrative offense, while a violation of Section 25(1) of the TTDSG can, for example, be punished with a fine of up to €300,000.

You can read the FAQs, only available in German, here.

UPDATE (3 December 2021)

LDI NRW releases statement on TTDSG

The North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information ('LDI NRW') published, on 2 December 2021, a statement on the TTDSG. In particular, the LDI NRW clarified that website and app operators no longer have the option to base further exceptions to the consent requirement on legitimate interest pursuant to Article 6(1)(f) of the GDPR. In addition, the LDI NRW outlined that the further processing of data obtained from cookies is no longer to be assessed according to the TTDSG, but exclusively according to the the GDPR. 

You can read the statement, only available in German, here.