Germany Data Privacy Laws: GDPR, BDSG & Enforcement Guide (2026)

Germany regulates personal data under the EU GDPR as implemented by the Bundesdatenschutzgesetz (BDSG), which adds stricter rules on DPO appointments, employee data, and criminal penalties. Both laws rest on a constitutional right to informational self-determination established by the Federal Constitutional Court's 1983 Census Judgment.

Germany occupies a singular position in the global data privacy landscape. Long before the European Union adopted the General Data Protection Regulation in 2016, Germany had already spent decades building one of the world's most comprehensive data protection frameworks. The country's approach to privacy is shaped by historical trauma, constitutional law, and a deeply rooted cultural expectation that individuals should control how their personal information is used.

This guide covers every major dimension of German data privacy law as it stands in 2026 -- from the federal and state regulatory structure, constitutional foundations, employee monitoring rules, and the EU AI Act overlay, to the enforcement actions that have made Germany one of the most active GDPR jurisdictions in Europe.

Quick Answer: What Governs Data Privacy in Germany?

Three legal instruments work together. The EU General Data Protection Regulation (GDPR) applies directly across all EU member states and sets the baseline. The Bundesdatenschutzgesetz (BDSG, Federal Data Protection Act) implements the GDPR's national "opening clauses," adding stricter rules on DPO appointments, employee data, video surveillance, credit scoring, and criminal penalties. The TDDDG (formerly TTDSG) governs privacy in telecommunications and digital services, covering cookie consent, communications confidentiality, and device-access rules.

Sitting beneath all of this is a constitutional right to informational self-determination that predates the GDPR by more than three decades. That right shapes how German courts interpret every data protection question that reaches them.

For cross-border context, see our guide to EU data privacy laws and, for recording-specific rules in Germany, our Germany recording laws page.

Historical Foundations: Why Germany Takes Privacy So Seriously

Germany's strict approach to data protection did not emerge in a vacuum. Two authoritarian regimes in the twentieth century left the German public with a visceral understanding of what happens when governments collect personal information without restraint.

The Nazi regime used census and registration data to identify and persecute minorities. Then, in the German Democratic Republic, the Stasi maintained files on an estimated six million East German citizens -- roughly one-third of the population. Neighbors informed on neighbors, phone calls were tapped, and mail was opened. When the Berlin Wall fell in 1989, citizens storming Stasi headquarters found more than 111 kilometers of shelved files. That collective memory shapes German attitudes toward surveillance and data collection to this day.

The 1983 Census Ruling and Informational Self-Determination

The legal cornerstone of German data privacy is a 1983 decision by the Federal Constitutional Court (Bundesverfassungsgericht) known as the Volkszaehlungsurteil, or Census Judgment. The West German government had planned a comprehensive national census, and hundreds of thousands of citizens protested in the streets. The case reached the Constitutional Court, which struck down key provisions of the Census Act.

In its ruling on December 15, 1983, the Court derived a new fundamental right from Articles 1(1) and 2(1) of the Basic Law (Grundgesetz): the right to informational self-determination (Recht auf informationelle Selbstbestimmung). The Court held that individuals must have "the authority to decide themselves, on the basis of the idea of self-determination, when and within what limits information about their private life should be communicated to others."

This right has constitutional force. Every German data protection law enacted since 1983 operates within the framework the Census Judgment established. The decision predated the GDPR by more than three decades, and it explains why Germany's implementation of European data protection standards consistently goes further than what Brussels alone requires. Other EU member states and courts across Europe have drawn on the Census Judgment as a source of inspiration when developing their own constitutional privacy doctrine.

The Legal Framework: GDPR, BDSG, TDDDG, and State Laws

German data privacy law in 2026 rests on several interlocking layers. Understanding how they interact is essential for compliance.

The GDPR as the Foundation

The General Data Protection Regulation (EU) 2016/679 applies directly in Germany as in all EU member states. It took effect on May 25, 2018, and governs the processing of personal data by organizations operating within the EU, offering goods or services to EU residents, or monitoring the behavior of individuals in the EU.

The GDPR provides the baseline rules: lawfulness principles under Article 5, six legal bases for processing under Article 6 (consent, contract, legal obligation, vital interests, public task, and legitimate interests), data subject rights under Articles 12 through 22, and the enforcement framework, including fines of up to EUR 20 million or 4% of global annual turnover.

The Bundesdatenschutzgesetz (BDSG)

The Bundesdatenschutzgesetz was enacted on June 30, 2017, to complement the GDPR at the national level. It exercises the GDPR's "opening clauses," which allow member states to adopt more specific or stricter rules in certain areas.

Key areas where the BDSG supplements the GDPR include:

• Data Protection Officer appointments (Section 38): Germany requires a DPO when 20 or more employees are regularly involved in automated data processing -- a substantially lower threshold than the GDPR's approach for the private sector.
• Employee data protection (Section 26): Special rules for processing employee personal data in the employment context, discussed in detail below.
• Video surveillance of publicly accessible spaces (Section 4): Specific provisions governing CCTV in areas accessible to the public, requiring signage and limiting retention.
• Scoring and credit reporting (Section 31): Restrictions on automated individual decision-making in financial contexts.
• Criminal penalties (Sections 42 to 43): Germany is one of the very few EU member states to impose criminal sanctions, including imprisonment, for serious data protection violations.
• Freedom of expression and information (Section 57): Special provisions balancing data protection against press, academic, and artistic freedoms.

In February 2024, the German Federal Cabinet approved a draft law amending the BDSG to institutionalize the DSK formally, streamline joint-controller supervision for research and statistics processing, and clarify that business secrets can justify withholding access request information. That draft bill did not complete the parliamentary process before the coalition collapsed in November 2024, and the new CDU/CSU-SPD government has taken a different approach through the 2025 coalition agreement.

The TDDDG

The Telecommunications and Telemedia Data Protection Act -- originally enacted as the TTDSG on December 1, 2021, and renamed the TDDDG on May 13, 2024, to align with the European Digital Services Act -- governs privacy in electronic communications and digital services. Its most significant provision, Section 25, requires affirmative opt-in consent before any non-essential cookie or tracking technology may access a user's device. Purely technical cookies required to deliver a service the user requested are the only exception.

State-Level Data Protection Laws

Each of Germany's 16 federal states has its own Landesdatenschutzgesetz governing data processing by state and municipal public bodies. These state laws mirror the GDPR and BDSG framework but apply specifically to state-level government agencies, public schools, universities, and local authorities.

Regulatory Structure: The BfDI, 16 State Authorities, and the DSK

Germany's data protection enforcement architecture is the most complex in the European Union. Unlike most member states, which have a single national authority, Germany operates with 17 independent supervisory authorities.

The Federal Commissioner (BfDI)

The Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte fuer den Datenschutz und die Informationsfreiheit, BfDI) is the federal-level supervisory authority. Prof. Dr. Louisa Specht-Riemenschneider assumed the role in September 2024. In its 33rd Activity Report covering 2024, the BfDI reported receiving 11,824 complaints and inquiries -- a record high and roughly one-third more than the previous year. The authority conducted 80 on-site inspections and 40 written control procedures in the reporting year.

The BfDI has jurisdiction over federal government agencies and public bodies, telecommunications service providers, postal service providers, federal social security institutions, and the intelligence services (BND, BfV, MAD) with respect to data protection compliance. The BfDI can issue binding orders to federal authorities and impose fines on telecommunications and postal companies.

The BfDI has identified three priority focus areas: health data (digital health records, medical devices), artificial intelligence systems, and national security applications of data collection. The authority has been particularly vocal in opposing proposed surveillance powers that it regards as incompatible with the right to informational self-determination.

The 16 State Data Protection Authorities

For the private sector -- businesses, associations, freelancers, and non-governmental organizations -- supervision falls to the state-level authorities (Landesdatenschutzbeauftragte). Each of the 16 federal states has at least one authority, and Bavaria uniquely has two: one for public bodies and one for the private sector.

The state authorities are fully independent. They are not subject to instructions from the BfDI or from their respective state governments. Each authority sets its own enforcement priorities, develops its own interpretation of the GDPR, and decides independently whether and how to impose fines. Hamburg and Baden-Wuerttemberg have historically been among the most active; others are more restrained.

The Datenschutzkonferenz (DSK)

To coordinate across this fragmented landscape, all 17 authorities participate in the Datenschutzkonferenz (DSK), which publishes joint guidance, position papers, and fining methodology. The DSK's fining model (last revised in 2022) provides a framework that authorities use to ensure rough consistency in sanction levels.

However, DSK decisions are not legally binding on individual authorities. This has produced situations where businesses receive different interpretations of the same GDPR provision depending on which German state they operate in. A 2024 DSK interim conference addressed this inconsistency by strengthening information-sharing procedures among the 17 authorities.

In May 2024, the DSK published its first guidance on generative AI and data protection, covering GDPR-compliant selection and deployment of AI tools by organizations. A companion position paper argued that German DPAs should serve as the national market surveillance authority under the EU AI Act.

2025 Coalition Agreement: Centralization Proposed

The coalition agreement of April 9, 2025 between CDU/CSU and SPD proposes a significant structural change: centralizing private-sector data protection supervision under the BfDI, which would be renamed the "Federal Commissioner for Data Utilisation, Data Protection and Freedom of Information." Under the proposal, the DSK would be formally anchored in the BDSG with authority to issue binding data protection standards. The agreement also envisions GDPR exemptions for small and medium-sized enterprises and for low-risk processing. Constitutional questions about federalism make this reform complex, and full implementation is expected to take several years.

Legal Bases for Processing: Consent and the Alternatives

Under GDPR Article 6, processing personal data is lawful only when it rests on one of six legal bases. In Germany, certain contextual factors make the choice of legal basis particularly consequential.

Consent under Article 6(1)(a) must be freely given, specific, informed, and unambiguous. In Germany, consent is scrutinized carefully because of the power imbalances that arise in employment, consumer, and public-service contexts. Pre-ticked boxes, bundled consents, and consent used as a precondition for accessing essential services are all treated with skepticism by German supervisory authorities.

Contract performance under Article 6(1)(b) covers processing genuinely necessary to fulfil a contract with the data subject or to take pre-contractual steps at the data subject's request.

Legal obligation under Article 6(1)(c) covers processing required by law -- for example, tax reporting, workplace health and safety records, or anti-money laundering requirements.

Legitimate interests under Article 6(1)(f) requires a three-step balancing test: the controller must have a legitimate interest, the processing must be necessary to pursue it, and the interests must not be overridden by the data subject's fundamental rights. German authorities apply this test strictly, particularly in employee monitoring, direct marketing, and fraud prevention contexts.

Special categories of personal data under GDPR Article 9 -- including health data, racial or ethnic origin, religious beliefs, trade union membership, and biometric data -- require a stricter legal basis, typically explicit consent or a statutory derogation.

Data Subject Rights

The GDPR grants individuals a robust set of rights that German supervisory authorities enforce actively.

Right of access (Article 15): Individuals can request confirmation of whether their data is being processed and obtain a copy. The BDSG clarifies in Section 34 that business and trade secrets can justify withholding parts of a response, but blanket refusals are not permitted.

Right to rectification (Article 16): Individuals can demand correction of inaccurate data and completion of incomplete data.

Right to erasure (Article 17): Often called the right to be forgotten, this applies where data is no longer necessary, consent is withdrawn, processing is unlawful, or a legal obligation requires deletion.

Right to restriction of processing (Article 18): Where the accuracy of data is contested or processing is unlawful but the data subject prefers restriction over erasure, processing can be suspended.

Right to data portability (Article 20): Where processing is based on consent or contract and carried out by automated means, individuals can obtain their data in a structured, commonly used, machine-readable format.

Right to object (Article 21): Individuals can object to processing based on legitimate interests or public task grounds. In direct marketing, the right to object is absolute and must be honored without qualification.

Automated individual decision-making (Article 22): Individuals have the right not to be subject to decisions based solely on automated processing that produce significant legal or similarly significant effects. German authorities interpret this article strictly, requiring meaningful human oversight in AI-based hiring, credit, and similar decisions.

Breach Notification Requirements

Germany follows the GDPR's breach notification framework under Articles 33 and 34.

Controllers must notify the competent supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in risk to individuals. The notification must describe the nature of the breach, the approximate number of affected individuals and records, the DPO's contact details, likely consequences, and measures taken or proposed to address the breach.

When a breach is likely to result in a high risk to individuals, the controller must also notify affected data subjects without undue delay.

Germany is one of the most active EU member states for breach notification. In 2024, German organizations filed 27,829 breach notifications -- the second-highest count of any EU member state (behind the Netherlands at 33,471) and roughly 20% of all European breach notifications. Practitioners attribute this partly to German supervisory authorities' strong encouragement of self-reporting, and partly to the legal exposure from failing to report.

Data Protection Officers: Germany's Lower Threshold

The GDPR requires DPO appointments in specific circumstances (Article 37): core activities involving large-scale processing of special categories of data, or core activities involving large-scale systematic monitoring of individuals. Germany goes further.

Under Section 38 BDSG, a DPO must be appointed when:

• At least 20 employees are regularly engaged in automated data processing -- regardless of whether that processing is high-risk.
• The controller conducts processing subject to a DPIA requirement under Article 35 GDPR, regardless of the number of employees.
• The controller processes personal data commercially for transfer, anonymized transfer, or market or opinion research purposes, regardless of size.

German law also provides enhanced employment protections for DPOs who are employees of the organization. They may only be terminated for just cause, and for 12 months after the appointment ends, that protection continues.

Employee Data Protection: Section 26 BDSG and the Post-CJEU Landscape

Germany has historically maintained some of the strictest rules in Europe governing how employers may collect and use employee personal data. The trajectory of this area of law has been shaped by two major court decisions.

CJEU Case C-34/21: Section 26(1) Declared Inapplicable

In a judgment of March 30, 2023, the Court of Justice of the European Union ruled that Section 26(1) sentence 1 of the BDSG did not qualify as a valid "more specific rule" under GDPR Article 88(1). The Court held that member states invoking Article 88 must adopt provisions with genuinely more specific content than the GDPR itself -- mere restatement of the GDPR's general principles is insufficient. Following this ruling, the German Federal Labor Court (Bundesarbeitsgericht) declared Section 26(1) sentence 1 inapplicable.

Employers must now rely on the GDPR's general legal bases directly:

• Article 6(1)(b): Processing necessary for the performance of the employment contract (covering onboarding, payroll, and performance management directly tied to the employment relationship).
• Article 6(1)(f): Processing necessary for the employer's legitimate interests, subject to a balancing test against employee rights (used for fraud investigation, IT security, and certain monitoring activities).

What Remains in Effect

Other provisions of Section 26 BDSG were not invalidated. Section 26(4), which recognizes works agreements (Betriebsvereinbarungen) as a valid legal basis for employee data processing, remains applicable. These agreements, negotiated between employer and works council under the Works Constitution Act (Betriebsverfassungsgesetz), continue to be the most common mechanism for establishing a legal basis for workplace monitoring and HR analytics systems.

Section 26(2), which requires written or electronic form for employee consent to be valid, also remains in force. Given the inherent power imbalance in employment relationships, German authorities remain skeptical of employer reliance on employee consent.

Workplace Monitoring Restrictions

German law takes a restrictive position on employee monitoring:

• Email and internet monitoring: Spot-checks of work email are permissible where the employer has a concrete, documented reason. Continuous covert surveillance of employee communications is unlawful.
• Video surveillance: Covert video monitoring is only permitted where there is concrete, specific suspicion of criminal conduct by an identifiable employee, the monitoring is time-limited and proportionate, and less intrusive measures have been exhausted.
• Works council co-determination: Under the Works Constitution Act, works councils have a mandatory co-determination right when employers introduce technical equipment designed to monitor employee behavior or performance. Any monitoring system -- from keystroke loggers to AI-based productivity tools -- must be negotiated with the works council before deployment.

The Failed Beschäftigtendatengesetz

Germany had long been attempting to enact a standalone Employee Data Protection Act (Beschaeftigtendatengesetz). A draft published in October 2024 aimed to provide comprehensive regulation of employee data processing before, during, and after employment -- including rules on AI in the workplace, biometric data, and the data protection implications of digital work environments.

The draft never advanced to formal parliamentary consideration. When the traffic-light coalition (SPD, Greens, FDP) collapsed on November 6, 2024, pending legislative projects including the Beschaeftigtendatengesetz lapsed. The 2025 CDU/CSU-SPD coalition agreement does not mention the measure, making a third attempt at comprehensive employee data legislation uncertain. Employers must continue to navigate the post-Section 26 landscape using GDPR Article 6 general bases and works agreements.

Cross-Border Data Transfers

As an EU member state, Germany follows the GDPR's framework for international data transfers under Chapter V (Articles 44 to 49).

Adequacy decisions issued by the European Commission allow free transfer to recognized countries. As of 2026, adequacy covers Andorra, Argentina, Canada (commercial organizations under PIPEDA), the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, the United Kingdom, Uruguay, and the United States (organizations certified under the EU-US Data Privacy Framework adopted in July 2023).

Standard Contractual Clauses (SCCs) are the most commonly used mechanism for transfers to non-adequate countries. Controllers must accompany SCCs with a documented Transfer Impact Assessment verifying that the destination country's law does not undermine the SCC protections.

Binding Corporate Rules (BCRs) allow multinational groups to govern intra-group transfers after approval by the competent supervisory authority.

German supervisory authorities have been among the most rigorous in the EU when scrutinizing cross-border transfers. The BfDI has consistently emphasized that Transfer Impact Assessments must be substantive, documented, and updated whenever the legal or factual circumstances in the destination country change. Transfers to cloud providers or AI service providers in the United States remain a frequent subject of complaints and investigations.

The EU AI Act Overlay

The EU AI Act (Regulation 2024/1689), adopted in June 2024 and entering into force in phases from August 2024 through August 2026, creates a second regulatory layer that interacts with the GDPR in important ways for German organizations.

Risk Classification and GDPR Interaction

The AI Act classifies AI systems by risk. High-risk AI applications -- including those used in employment and workers management, credit scoring, biometric identification, and law enforcement -- face strict conformity requirements. Where these systems process personal data, they must comply with both the AI Act's technical standards and the GDPR's legal basis requirements.

Article 47 of the AI Act requires providers of high-risk AI systems to include a statement of GDPR compliance in their conformity declaration where the system processes personal data. Many data principles overlap between the two regulations: transparency, accuracy, and security requirements appear in both. The key difference is scope -- the GDPR covers all personal data processing, while the AI Act focuses on AI systems and adds specific obligations around human oversight, robustness, and documentation.

German data protection authorities acted early. On May 6, 2024, the DSK published its first guidance on generative AI, covering GDPR-compliant deployment by organizations. The guidance addressed legal basis requirements, Article 22 automated decision-making restrictions, transparency obligations, and the need for data minimization in AI system inputs and outputs. The DSK also published a position paper arguing that German DPAs should serve as the national AI Act market surveillance authority, though the Federal Network Agency (Bundesnetzagentur) is now expected to take that role.

The BfDI's AI Consultation

In 2025, the BfDI launched a public consultation on AI models and personal data, seeking views on data protection-compliant development and deployment of AI, including data minimization, transparency, the conditions for using personal data in training, and the rights of individuals affected by AI-based decisions. The consultation reflects Germany's determination to shape the practical interpretation of AI-GDPR interaction before the enforcement phase of the AI Act begins.

Fan Pages and Social Media

A separate line of enforcement addresses AI-adjacent data flows. In July 2025, the Cologne Administrative Court partially upheld the BfDI's position in proceedings regarding German government entities operating Facebook fan pages. The Court agreed that joint controllership between fan page operators and Meta requires active compliance steps beyond mere creation of the page -- a significant finding for any German organization using social media business pages.

Penalties and Criminal Sanctions

Germany's penalty framework combines GDPR administrative fines with national criminal sanctions.

Administrative Fines Under the GDPR

The GDPR provides two tiers:

• Up to EUR 10 million or 2% of global annual turnover for breaches of controller and processor obligations, including DPO requirements, DPIA obligations, and breach notification duties (Article 83(4)).
• Up to EUR 20 million or 4% of global annual turnover for breaches of core processing principles, consent requirements, data subject rights, and cross-border transfer rules (Article 83(5)).

Criminal Sanctions Under the BDSG

The BDSG goes further than most EU member states by imposing criminal liability:

• Section 42(1): Up to three years imprisonment or a fine for transferring a large volume of personal data to third countries or making it available without authorization where the data was commercially processed or obtained for commercial purposes.
• Section 42(2): Up to two years imprisonment or a fine for processing personal data without authorization, or obtaining it by false pretenses, with intent to enrich oneself or cause harm to another.
• Section 43: Administrative fines up to EUR 50,000 for minor violations and up to EUR 300,000 for more serious violations not reaching the criminal threshold.

Criminal liability attaches to individuals, not corporations. Prosecution requires a formal complaint from the data subject, the supervisory authority, or the BfDI.

Notable Enforcement Actions

Germany's decentralized enforcement structure has produced some of the largest GDPR fines in Europe.

Vodafone: EUR 45 Million (2025)

In the largest enforcement action by the BfDI to date, Vodafone GmbH was fined a total of EUR 45 million in March 2025 -- EUR 15 million and EUR 30 million in two related decisions -- plus a reprimand. The BfDI found that Vodafone had failed to adequately supervise and audit its processor partner agencies and had allowed weaknesses in its online customer portal's authentication process that could have enabled misuse of eSIMs. The violations involved Articles 28(1) and 32(1) of the GDPR: inadequate processor agreements and insufficient security of processing.

H&M: EUR 35.3 Million (2020)

The Hamburg Commissioner for Data Protection fined H&M Hennes and Mauritz Online Shop A.B. & Co. KG EUR 35,258,707.95 on October 1, 2020, for systematic employee surveillance at its Nuremberg service center. Since at least 2014, managers had conducted detailed debrief conversations after employee absences, recording information about vacation activities, family problems, religious beliefs, and medical diagnoses. These notes were stored on a network drive accessible to up to 50 managers. The violation came to light in October 2019 when a configuration error made the files briefly visible company-wide.

Deutsche Wohnen: EUR 14.5 Million and the CJEU Ruling

The Berlin Commissioner fined Deutsche Wohnen SE EUR 14.5 million in October 2019 for storing tenant personal data in an archive system with no mechanism for deleting records no longer needed. The case then generated one of the most important GDPR rulings to date.

When a Berlin district court overturned the fine in February 2021, reasoning that fines could only be imposed where a specific culpable individual was identified, the question was referred to the CJEU. On December 5, 2023, the Court issued its judgment in Case C-807/21. The CJEU held, first, that the German model requiring attribution to a specific natural person before a company can be fined is incompatible with the GDPR -- companies can be fined directly for institutional failures. Second, the Court rejected strict liability: a fine may only be imposed where the controller has intentionally or negligently committed an infringement. The ruling has Europe-wide significance for how GDPR fines are calculated and contested.

notebooksbilliger.de: EUR 10.4 Million (2021)

The Lower Saxony data protection authority fined electronics retailer notebooksbilliger.de AG EUR 10.4 million for operating video surveillance cameras monitoring employees at workstations, sales floors, and warehouses for over two years without a legal basis. No concrete suspicion of criminal conduct had justified the surveillance.

1&1 Telecom: EUR 9.55 Million Reduced (2019)

The BfDI fined 1&1 Telecom GmbH EUR 9.55 million for relying solely on a customer's name and date of birth to verify caller identity at call centers. The Bonn district court subsequently reduced the fine by 90% on proportionality grounds, establishing that the original calculation was excessive even if the underlying violation was genuine.

Enforcement Trends: SMEs Now in Focus

Between 2018 and 2024, German supervisory authorities collectively issued approximately EUR 160 million in GDPR fines. The enforcement focus has shifted. Early years concentrated on large corporations; from 2024 onward, the center of gravity has moved toward SMEs and small website operators. Average sanctions against small businesses now range from EUR 50,000 to EUR 200,000 -- five to ten times higher than in 2020.

Practical Compliance Checklist for Organizations in Germany

Organizations processing personal data in Germany should address the following:

1. Appoint a DPO if 20 or more employees handle automated data processing, or if you conduct high-risk processing or commercially trade in personal data.
2. Implement a compliant cookie consent mechanism that defaults non-essential cookies to off and requires affirmative opt-in before any tracking technologies activate.
3. Maintain a Record of Processing Activities as required by GDPR Article 30.
4. Conduct Data Protection Impact Assessments for high-risk processing, particularly employee monitoring, large-scale profiling, and AI-based decision-making.
5. Establish 72-hour breach notification procedures and test them before an incident occurs.
6. Review all cross-border transfers with documented Transfer Impact Assessments for each destination country.
7. Update employee privacy notices to identify the specific GDPR Article 6 basis for each processing activity following the Section 26 CJEU ruling.
8. Consult the works council before deploying any monitoring, analytics, or AI system that processes employee behavioral data.
9. Document data retention schedules and implement technical controls to delete data when retention periods expire.
10. Identify your competent supervisory authority based on your establishment's location and sector.
11. Assess EU AI Act obligations if you develop, deploy, or use AI systems -- particularly in hiring, credit, fraud detection, or public services -- and align DPIA and AI Act conformity documentation.