Recent developments and future prospects

Trends and developments

Have there been any notable recent trends or developments concerning the conduct of online and digital business (both business to business and business to consumer) in your jurisdiction, including any regulatory changes or case law?

Mirroring EU trends, the German legislator and courts are increasingly focusing on the legal responsibility and liability of platforms that create the commercial link between businesses and consumers. For example, the legislator has imposed specific regulations on social media and their treatment of user-generated content that substantially infringes third-party rights or the law (eg, the Network Enforcement Act). Case law is shaping when and for which content platforms become primarily liable (eg, as regards third-party marketing content and terms).

Influencer marketing is an area of advertising law that has seen a lot of activity and publicity recently.

Future prospects

What are the future prospects for digital business in your jurisdiction, including any proposed or potential regulatory reforms and future technological/market developments?

The growth of all types of digital business is expected to continue, alongside digital business turnover. Digitised services will increasingly be provided as automated commodities in both business-to-business and business-to-consumer relationships and in all aspects of consumer life. The Internet of Things, financial technologies and insurtech, applications involving reality elements and artificial intelligence and big data-driven services and technologies will not only shape and enhance, but also create digital business offerings.

Legal framework


What primary and secondary legislation governs the conduct of digital business in your jurisdiction?

The primary source of sector-specific law is the Telemedia Act, which implements and incorporates the general regulatory framework for e-commerce, including liability rules and information duties (both of which are rooted in the EU e-Commerce Directive (2000/31/EC). Various commercial practices that are vital to marketing activities are governed by the Act on Unfair Commercial Practices. Audiovisual services and platforms will need to refer to the State Treaty on Broadcasting. In addition, a large variety of product and service-specific regulations apply (eg, to the financial services industry, the insurance industry, product distribution and the protection of minors).

Regulatory authorities

Which authorities regulate the conduct of digital business and what is the extent of their powers?

There are no authorities or public administrative bodies specifically endowed with powers to regulate the conduct of digital businesses.

Rather, the authorities that oversee specific sectors are generally allowed to take action against unlawful conduct within their legal remit – most notably media regulation, data protection and telecoms. As a consequence of Germany’s federal structure, providers of online services and operators of digital businesses often also deal with local authorities.

In Germany, markets tend to be regulated from within. This is done through privately organised bodies, such as consumer protection associations and competition protection associations, that have enforcement powers against:

  • breaches of business practice codes (in which case they typically order the infringer to cease and desist); and
  • damages and skimming-off of profits.

This is a matter of civil litigation under the Law on Injunctions for Consumer Rights and Other Infringements and the Act Against Unfair Competition.

Government policy and regulatory approach

How would you describe the government’s policy and regulatory approach to digital business?

 The German government is eager to support market development and growth, while also emphasising the need to protect consumers and ensure that the existing regulatory framework is abided by. Consequently, government activity typically targets areas where the need for improvement with regard to the protection of citizens’ interests has been identified (eg, as was the case with the enactment of the Network Enforcement Act).

Establishing digital businesses


What regulatory and procedural requirements govern the establishment of digital businesses in your jurisdiction? To what extent do these requirements and procedures differ from those governing the establishment of brick-and-mortar businesses?

As regards establishing a business, the rules for online businesses do not substantially vary from those applicable to brick-and-mortar businesses. Depending on the place of establishment, a general permit to do business or sector-specific licences (eg, for offering financial services or for linear broadcasting activities) may be required. Such licence requirements may be subject to exemptions from the general EU framework furthering the freedom of services (eg, by allowing passporting or relying on licences from other EU or European Economic Area member states).

Electronic contracts and signatures

Electronic contract availability

Are electronic contracts legally valid in your jurisdiction? If so, what rules and restrictions govern their formation (including any mandatory or prohibited provisions and contract formats)?

The validity of electronic contracts is based on the same principles as those applying to the validity of contracts in general. A contract is formed where one party makes an offer and another party accepts this offer (Sections 145 and following of the German Civil Code). The parties need to agree on the essential content of the contract. Also, the general rules regarding prohibited provisions apply (eg, the prohibition of legal transactions contrary to public policy according to Section 138 of the Civil Code or the rules on unfair consumer and commercial terms under Sections 305 and following).

Where statutory law requires a specific form (eg, written form or notarial form), electronic contracts are typically insufficient to form a valid contract. However, the statutory written form required can be replaced by certain electronic means by using a qualified electronic signature under Section 126a of the Civil Code, unless explicitly prohibited by statutory law. The technical requirements for a qualified electronic signature are set out in the Electronic Identification and Trust Services for Electronic Transactions in the Internal Market Regulation (910/2014/EU, eIDAS Regulation) and Germany’s Trust Service Provider Act.

Parties may voluntarily require a written signature, an electronic signature or even a qualified electronic signature.

Disputes over the formation of contract or due form will typically concentrate on matters of proof.

Are there any limitations or restrictions on transactions that can be concluded through electronic contracts?

Certain types of contract require a specific form by law. Typically, these requirements are tied to high-impact transactions (eg, acquiring shares in companies or purchasing property). If the form requirement is not met, the contract is invalid.

Data retention

Do any data retention requirements apply to electronic contracts?

There are no retention requirements specific to electronic contracts. However, general retention requirements for business documents apply, which are rooted in merchant due diligence and tax regulations. Specific technical requirements for storing and accessing electronic contracts may have to be fulfilled (see the Principles for the Proper Management and Retention of Books, Records and Documents in Electronic Form and for Data Access set by the German tax authorities and applicable to business establishments in German, which can in some circumstances cover online business-related activities).


Are any special remedies available for the breach of electronic contracts?


Electronic signatures

Are electronic signatures legally valid in your jurisdiction? If so, what rules and restrictions govern their use?

Electronic signatures are generally valid, unless statute requires a more stringent form (ie, written) for specific contracts or transactions. Written signatures may be replaced by a qualified electronic signature pursuant to Section 126a of the Civil Code, unless explicitly prohibited by statute. The technical requirements for a qualified electronic signature are set out in the eIDAS Regulation and the Trust Service Provider Act. The statutorily required notarial form cannot be replaced in such manner.

Electronic payments

Electronic payment systems

Are there any rules, restrictions or other relevant considerations regarding the use of electronic payment systems in your jurisdiction?

In addition to the framework implemented by the EU Payment Services in the Internal Market Directive (2015/2366), German case law maintains a rule that a merchant must always offer at least one means of payment to consumers that is widely available and reasonable for the consumer to use at no extra cost. Therefore, online businesses must offer at least one payment method with these characteristics to their customers.

Virtual currencies

Are there any rules or restrictions on the use of virtual currencies (eg, Bitcoin)?

Virtual currencies may be used as payment methods for goods and services bought online. Virtual currencies – including in-game currencies – are typically subject to general civil law rules on monetary claims. However, virtual currencies can also become subject to e-money regulation (while Bitcoin as such cannot) or other financial services regulation. Associated further types of use, especially trading virtual currencies and tokenisation of cryptocurrencies (as is typical for initial coin offerings) can also be subject to further, more stringent financial services regulations.

In addition, cryptocurrencies will not typically be regarded as widely available and reasonable for the purposes of Section 312a of the Civil Code and, thus, will not satisfy the requirements for mandatory free means of payment.

Data protection and cybersecurity

Collection, use and storage

What rules, restrictions and procedures govern the collection, use and storage of personal data in the course of digital business in your jurisdiction?

Generally speaking, the processing of personal data is governed by the EU General Data Protection Regulation (2016/679 GDPR) and the German Federal Data Protection Act. However, specialised laws also apply (eg, the Telecommunication Act and other sector-specific regulations), which may impose a specific framework for data retention and disclosures.

International data transfers

What rules and restrictions apply to the cross-border transfer of personal data collected in the course of digital business?

The cross-border transfer of personal data is governed by Articles 6(1) and 44 to 50 of the GDPR.

Consumer rights

What rights are afforded to consumers in relation to their personal data?

The GDPR grants rights to the data subject in relation to personal data. When processing data, the controller must regard:

  • the information right (Articles 13 and 14 of the GDPR);
  • the right of access (Article 15);
  • the right to rectification (Article 16);
  • the right to erasure;
  • the right to be forgotten (Article 17); and
  • the right to restriction of processing (Article 18).


How is the use of cookies regulated?

The German data protection authorities have stated that the GDPR applies to cookies. Further, the authorities have formulated a mandatory consent requirement for analysis services and associated cookies.

This would mean that when a website is accessed, an intermediate page would have to be built to obtain – on a voluntary basis – consent for cookies for analysis services. Cookies required for the presentation of the website may be processed on the basis of legitimate interest (ie, without explicit consent). In any case, all cookies are subject to the information obligations of the GDPR and must therefore be reflected in the privacy policy of the website.

Data breach

What rules and standards govern digital operators’ response to data breaches? Are they subject to any notification requirements in the event of a data breach? What precautionary measures should be taken to avoid data breaches?

As stated above, the relevant laws in the context of a data breach are as follows:

  • At EU level, the GDPR, including:
    • Article 4 – which defines ‘breach’ and ‘personal data’;
    • Article 32 – which sets out rules for IT security;
    • Articles 33 and 34 – which sets out rules for notifications and communication about personal data breaches;
    • Article 82 – which implements damages claims for affected data subjects; and
    • Article 83 – which imposes severe fines for infringing the applicable rules.
  • At national level, the Federal Data Protection Law of 25 May 2018, including:
    • Section 29 – regarding a limit to the information duties of the controller;
    • Section 64 – which provides a list of required technical and organisational measures that must be implemented to ensure security of data processing; and
    • Section 83 – which implements the data subject’s right to claim immaterial damages, in addition to other damages and regulatory fines.

A ‘data breach’ is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed. ‘Personal data’ in this context includes any information that can be traced to an individual person, including but not limited to information which is:

  • commercial or private;
  • confidential or openly communicated; or
  • relating to banking details.

Whenever there is a risk that an internal or external party has gained access to the personal data of an EU citizen that has not been authorised by law or received the consent of the individual concerned, the controller or processor must assess the incident and its potential consequences.

Data breach reporting Every data breach must be reported to the regulator, unless it is unlikely to result in a risk to the fundamental rights and freedom of individuals. Where the number or criticality of affected data does not induce any such risk, the incident may remain unreported. The same might apply to data that was publicly available before the breach. However, the loss of data must be reported if it is likely to have significant adverse effects on the data subject (eg, loss of control of digital identity, financial loss, damage to reputation or damage or loss of privacy for very private information).

Appropriate encryption of data or efficiently implemented pseudonymisation can eliminate, or at least reduce, the risk to the rights and freedom of individuals. Leaks of properly encrypted data thus need not be reported.

As with any data protection regulations, the reporting obligation does not apply to the data of companies or things, unless there is a chance that they might include information traceable to an individual (eg, an employee of the company or owner of the connected tool).

Information communicated to data users and subjects Data breaches must be communicated to affected individuals only if there is a high risk to their rights and freedom. This communication is not required if suitable technical and organisational measures are in place that do not allow unauthorised access to the personal data. This includes state-of-the-art encryption.

In addition, German law provides that it is not necessary to inform the data subject if reasonable confidentiality obligations towards third parties prevail.

Reporting responsibilities The data controller (who decides whether and how data is processed) is responsible for notifying the regulator and communicating with the data subjects.

The data processor must report any data breach to the data controller without undue delay in order to allow the controller to comply with reporting obligations.

Time limits and formal requirements The data breach must be reported within 72 hours to the responsible regulator. This time limit starts as soon as the controller becomes aware of the breach, either by way of its own discovery or through information provided by the data processor (or other third parties). Missing this deadline is permitted only in justified cases.

Article 33 of the GDPR provides details of what a data breach report must contain, including:

  • the type of data breach;
  • the categories of data concerned;
  • the number of data subjects and data sets;
  • the data sets themselves;
  • an assessment of the consequences for the data subjects; and
  • measures to eliminate or minimise damage to the data subject.

Most regulators in Germany are providing online tools to enable data breach notifications.

Penalties A breach of reporting obligations can trigger a fine of up to €10 million or 2% of the company’s annual worldwide turnover.

Data subjects affected by a data breach are entitled to claim material and immaterial damages caused by the controller’s failure to timely report the breach to regulators and inform the data subjects.

Further information Further information regarding data protection can be found in:


What cybersecurity regulations and/or standards apply to the conduct of digital business?

The main sources for the regulation of cybersecurity that apply to conducting digital business are the applicable provisions of the Act on the Federal Office for Information Security, the GDPR and their German equivalent, the Federal Data Protection Act.

Aside from abiding by the rules governing the protection of personal data under the GDPR and the Federal Data Protection Act – which includes the protection of personal data through appropriate technical and organisational measures – the Act on the Federal Office for Information Security requires ‘digital services providers’ (ie, cloud providers, online market places and online search engines) to protect their network and systems used to provide their service using state-of-the-art technology and to notify the Federal Office for Information Security of any substantial security incidents in this respect.

Moreover, under the Telemedia Act service providers must take appropriate measures to protect their services (eg, applications or websites) against unauthorised access and disruptions, including cyberattacks.

Is cybersecurity insurance available and commonly purchased?

Cybersecurity insurance is available in Germany. Whether or not it is purchased depends on the business sector and size of the company. Purchasing cybersecurity insurance is common in industries in which the key assets and offerings are the provision of online services (eg, platform providers, providers of software as a service and cloud providers).


Are there regulations or restrictions on the use of encryption?

There are no regulations or restrictions specifically addressing encryption methods. Where personal data is processed, a proper encryption mechanism must be used to meet the requirements to protect personal data using appropriate technical and organisational measures. The same applies where German law puts businesses or industries under specific obligations to protect their network and information systems (eg, providers of critical infrastructures or digital service providers).

Government interception/retention

What rules and procedures govern the authorities’ interception of communications and access to consumer data?

There are no statutory rules and procedures in place in Germany that specifically govern access to consumer data. The main procedures that would allow authorities to intercept communications or request that data be disclosed (eg, by a cloud provider) is the Code of Criminal Procedures, under which such access is possible for prosecution purposes. Several state police laws provide similar provisions which allow the authorities to intercept and access data to prevent criminal acts or to protect public safety.

However, the criteria that the authorities must fulfil to intercept communications or gain access to data are restrictive (eg, to prevent serious offences, including terroristic acts and homicide) and must be proportionate to the purpose that they serve.

Advertising and marketing


What rules govern digital advertising and marketing in your jurisdiction?

Digital advertising must comply with the Act on Unfair Commercial Practices, which regulates the market behaviour of individual companies. The act determines that – among other unfair practices as set out in the EU Unfair Commercial Practices Directive (2005/29) – a commercial practice that constitutes an ‘unacceptable nuisance’ to a market participant is illegal. An unacceptable nuisance is always assumed where advertising uses a medium that is suited to distance marketing and through which a consumer is persistently solicited, even if they have expressed an objection. An unacceptable nuisance is also assumed if advertising uses a medium:

  • where the identity of the sender on whose behalf the communication is transmitted is concealed or kept secret;
  • that violates Section 6(1) of the Telemedia Act;
  • that prompts the recipient to visit a website that violates Section 6(1); or
  • that provides no valid address to which the recipient can send an instruction to cease sending them further messages of that nature, without incurring costs other than transmission costs pursuant to the basic rates.

This means that advertising must always be labelled as such. If AdWords, banners and pop-ups are used, they must correctly disclose their commercial character and may need to be appropriately labelled. Influencer marketing and viral marketing (eg, refer-a-friend schemes) should not be surreptitious advertising. Electronically supported refer-a-friend schemes have been extensively restricted in recent case law.

Digital businesses must also comply with data protection laws and the Telemedia Act. This particularly applies to tracking for advertising purposes and retargeting analysis of cookies, as well as of the use of ‘like’ buttons and Facebook custom audiences. It is common for consent to be obtained in order for the processing of data to be lawful. In addition, the consumer must always be informed about the purpose of the data processing.

Further, both ‘behind the camera’ and ‘in front of the camera’ rights (eg, copyright under the Copyright Act) and privacy and publicity rights must always be respected, especially when using picture material.

Various other laws apply to the offering of products and services online. Thus, an online offer for goods or services should always duly consider the potentially extensive information requirements under consumer rights legislation and the Unfair Commercial Practices Directive. For example, information on warranties under the Civil Code or regarding e-tailing of goods or environmental information under the Battery Act and the Electric Act may have to be included.

Are there any specific regulations governing the use of targeted advertising?

As targeted advertising entails the collection and analysis of personal data, data protection laws must be followed. In particular, tracking must be designed in such a way that is legally permissible. Currently, there is legal uncertainty regarding the lawfulness of tracking cookies. The EU Data Protection General Regulation (2016/679) must be complied with. How far the Telemedia Act is still to be considered is unclear.

In addition, the EU ePrivacy Regulation, once in force, will likely regulate the use of cookies and potentially other tracking methodology. It is clear that users must be informed of the use of cookies (eg, for pop-ups or banners). In the future, the user’s consent for the use of cookies may be required if the ePrivacy Regulation comes into force or the courts or regulators consider this to be necessary.

Moreover, the regulations under the Act on Unfair Commercial Practices and further specific laws must be complied with.


Are there any restrictions or limitations on goods and services that can be advertised, marketed and sold online?

In principle, any products can be offered online. However, various sector or product-specific laws must be observed. For example, the sale of alcohol or tobacco requires age verification and is also subject to sector-specific advertising restrictions (partly with a view to protecting minors). This also applies to games or films with age restrictions.

For electrical appliances, certain labelling and registration obligations apply (eg, for old electrical appliances). Foods must highlight certain information so that the consumer is informed about ingredients and values under the EU Food Information Regulation (1169/2011). The sale of chemicals must be accompanied by certain warnings under the EU Registration, Evaluation, Authorisation and Restriction of Chemicals Regulation (1907/2006) and the Law on the Protection against Dangerous Substances. Specific rules apply to almost all industries (eg, cosmetics and textiles), and consequently, any business seeking to sell products online should ensure that the products are advertised according to such rules.

Spam messages

What rules and restrictions govern the sending of spam messages?

Section 7 of the Act on Unfair Commercial Practices allows the sending of emails for advertising purposes only with the recipient’s consent. Such consent must be verified through a double opt-in method, under which the recipient ticks a box online and receives a verification email, which ensures that the recipient has actually given their consent.

By way of exception, email advertising is allowed under the EU ePrivacy Directive (2002/58) if:

  • the company has obtained the customer’s email address in connection with the sale of goods or services directly from them;
  • the company uses the address for direct advertising of its own similar goods or services;
  • the customer has not objected to this use; and
  • the customer has been clearly and unequivocally advised, when the address is collected and each time it is used, that they can object to such use at any time, without costs arising by virtue thereof, other than transmission costs pursuant to the basic rates.

If a recipient has declared their objection to receiving commercial communication, the sender should ensure that this person no longer receives such advertising in the future. The recipient may receive advertising again only once some prerequisites are met (eg, consent to receiving advertising content has been given again).

Digital content and IP issues

Required notices

Are websites and any other digital content required to display certain legal notices or other information in your jurisdiction?

Websites and other telemedia services are obliged to provide mandatory provider information, typically referred to as ‘imprint’. This imprint must include the full legal name, address, legal representatives and other information of the company if the service is offered by a company or of a supervisory authority if official authorisation is necessary to operate the business. Specific contact details must also be provided.

If goods and services are offered to consumers, additional requirements must be fulfilled closely connected to the requirements set out by the EU Consumer Rights Directive (2011/83), which has been interpreted by local courts on numerous occasions. For example, information duties relate to:

  • information on the consumer’s right of withdrawal, if any;
  • for order transactions via a website, there is an obligation to mark the button that is used to place an order with the words “order with obligation to pay” or equally unambiguous wording;
  • a link to the EU platform for online dispute resolution must be present on the website; and
  • information on the extent to which a trader that maintains a website is willing or obliged to take part in dispute resolution procedures before a consumer conciliation body.

Where personal data is collected, information must be provided under Articles 13 and 14 of the EU General Data Protection Regulation (2016/679).

Dependent on the area of business, further obligations to display legal notices or information may apply (eg, when offering package holidays).

Liability for content

What rules govern liability for online or other digital content that is defamatory or infringes another party’s IP rights?

Liability for defamatory or infringing digital content is governed by the general statutory provisions (eg, the German Civil Code for certain personality rights, the Act on Copyright and Related Rights and the Trademark Act).

The Telemedia Act governs the liability of website hosts and other telemedia providers in accordance with the EU eCommerce Directive (2000/31). With respect to the extent of liability, the law differentiates between providers that:

  • operate a service with their own or ‘appropriated’ content (‘content providers’);
  • store third-party content on servers (‘hosting providers’); and
  • provide access to data, convey data or buffer it to improve the efficiency of the transportation of the data (‘access providers’).

How can liability be excluded or limited?

Liability for own or appropriated content cannot be limited unilaterally (eg, by a disclaimer). A blanket dissociation to linked content is also ineffective; if it is too extensive, it may even increase liability. It is a question of various factors, including licence terms and factual control, whether content is ‘appropriated’ or remains third-party content, with its less stringent liability rules.

An exclusion or limitation of liability is possible only by contract, typically by including general terms and conditions in the website usage contract (ie, terms of use or terms of service). However, such a contract generally requires that the user actively agree to its conclusion, which is typically not the case through mere use of a website or service. In addition, according to the provisions regulating terms and conditions, such exclusion or limitation might be invalid in certain circumstances, in particular if the exclusion or limitation is surprising or deviates too far from the statutory framework.

Which parties can be held liable for defamatory or infringing content? Can contingent liability be extended to internet service providers (ISPs)?

Certain providers are granted privileges. If a provider stores third-party content (hosting providers) or provides access to data, conveys data or buffers it to improve the efficiency of the transportation of the data (access providers), they are generally not responsible for such content.

Websites and other telemedia providers are responsible for their own content in accordance with the law, without restrictions. They are also responsible for third-party (eg, user-generated) content that they appropriate (eg, if the website provider utilises user-generated content after reviewing it for completeness and accuracy or if the website provider demands to be granted the right of use of user-generated content). Such providers are also liable for links to illegal content, at the latest at the time of knowledge of the illegality of such content.

In case of infringement of IP rights, wireless network providers might also be held liable by the owner of IP rights to block such use of information if there are no other effective means to cease the infringement.

Content takedowns

What rules and procedures govern content takedowns? Can ISPs remove defamatory or infringing content without permission?

All website and other telemedia providers are obliged to remove illegal information or block the use of illegal information as soon as they receive knowledge of such content.

However, website and other telemedia providers are not obliged to monitor content other than that which is their own or appropriated to detect illegal content.

According to the Law to Improve the Law Enforcement in Social Networks, social networks with 2 million registered users or more must remove content if it violates the law and the social network is notified about such violation within specific timeframes. Regardless of the number of registered users, any social network is obliged to designate a domestic agent for service of documents.

Providers can generally remove defamatory or infringing content without permission if it is legally established that the content is illegal, except if the content is protected by secrecy of telecommunications.

Domain names

What rules, restrictions and procedures govern the licensing of domain names?

DENIC is the registry for ‘.de’ top-level domain names. DENIC will register a domain name if it meets the requirements for registration contained in the domain guidelines and is not already registered by a third party. In this case, a contract of use between DENIC and the person designated as domain holder in the registration form is concluded on registration.

A domain is not a physical object, but an internet address that the domain holder has a transferable right of use under the contract with DENIC or another registry. Therefore, the provisions of a legal purchase apply to a domain purchase. In addition, the licensing of domains is allowed; this would be classified as a ‘legal lease’ within the meaning of Section 581(2) of the German Civil Code.

In the case of a transfer of a ‘.de’ domain, the document must specify the:

  • parties involved;
  • domain to be transferred; and
  • price of the transfer.

The decisive factor is that the transfer of the domain does not depend solely on the parties, but to a large extent on their respective providers, which are vicarious agents of the party in this respect. Therefore, the contract must contain the seller's obligation to irrevocably cause his or her provider to delegate the domain to be transferred to the provider. Once the delegation has taken place, the purchaser's provider must arrange for the domain to be registered in DENIC's register.

How are domain name disputes resolved in your jurisdiction?

Domain disputes can be settled out of court or – in practice, much less frequently – in court. If the claim is against the use of a ‘.de’ domain, no alternative dispute resolution mechanism is available. Rather, the procedure is generally based on German trademark and procedural law.

The domain holder will first be contacted by way of an authorisation request, citing earlier priority trademark rights or will receive an immediate warning whereby they will be notified of the infringement and asked to submit to a declaration of cease and desist.

German law does not provide a basis for the transfer of a domain name. It is advisable to submit a dispute application to DENIC in advance of the warning. This can prevent the domain holder from transferring the domain to a third party during the legal dispute. If an out-of-court settlement fails, the domain dispute must be settled in court.

What special measures and safeguards should rights holders consider in protecting their online/digital content?

Online/digital content is not protected by special laws in Germany. Rather, the general laws apply, in particular copyright law in the case of online/digital content and potentially trademark and design law.

In order for content to be protected by copyright, the content must be personal intellectual creations. According to current opinion, recognition that a work is eligible for protection presupposes that it:

  • was created personally;
  • has an intellectual content that has been expressed in a perceptible form; and
  • has individuality and, in this respect, meets the required design threshold.

Copyrights do not have to be formally registered, but arise automatically with the creation of the corresponding works.

However, a rights holder can protect work by so-called technological measures pursuant to Sections 95a and following of the German Act on Copyright and Related Rights. Technological measures are technologies, devices and components that, in the normal course of their operation, are designed to prevent or restrict acts, in respect of protected works or other subject-matter protected under the Act on Copyright and Related Rights, which are not authorised by the rights holder. Examples of technological measures include, among others:

  • encryption technologies;
  • filter systems;
  • digital rights management systems; and  
  • geo-blocking measures.

Section 95a of the Act on Copyright and Related Rights prohibits the circumvention of technological measures and of corresponding preparatory and support actions.

In contrast to copyrights, trademark and design rights must first be formally registered in order to offer protection from third parties.

Tax issues

Online sales

How are online sales taxed?

Generally, online sales are taxed in the same way as other sales. However, there are special rules for value-added tax on sales of services that depend on whether those services are computer-based (ie, where no human being is involved in the actual service process).

Other taxes

What other tax liabilities arise in respect of the conduct of digital business in your jurisdiction?

Currently, there is no digital business tax in Germany, but a discussion is ongoing at EU level as to whether such a tax should be introduced.

Jurisdiction, governing law and dispute resolution

Jurisdiction and governing law

How do the courts determine jurisdiction and governing law in relation to online/digital transactions and disputes?

In general, the jurisdiction is determined by the Civil Process Order and relevant EU regulations. The nature of the dispute dictates which court is competent. In cross-border disputes, the governing law is determined under the Introductory Law to the Civil Code and the relevant EU regulations. Subject to certain restrictions (eg, where the consumers involved are based), the parties can determine jurisdiction and governing law by contractual agreement as well.


Are there any specialist courts in your jurisdiction which deal with online/digital issues and disputes?

No, there are no such specialist courts.

Alternative dispute resolution

What alternative dispute resolution (ADR) methods are available for online/digital disputes? How common is ADR for online/digital disputes in your jurisdiction?

If goods or services are sold online to consumers, the merchant can use the online dispute resolution platform of the European Commission. The merchant must ask the consumer whether they are willing to participate before concluding the contract. That said, alternative dispute resolution is uncommon in Germany, even though certain sector-specific initiatives exist.