Legal and regulatory framework

Government approach

How can the government’s attitude and approach to internet issues best be described?

The German government continues to focus its attention on the Internet and digitalisation more generally as potential growth factors for the German economy and with the aim of facilitating entrepreneurship and development.

In parallel to several EU initiatives, both the legislature and specific case law developments have shifted the focus to the legal responsibility and liability of online platforms that create commercial links between businesses and consumers.

Further, there has been much activity and publicity regarding the enforcement of advertising law in the influencer marketing sphere.


What legislation governs business on the internet?

The Telemedia Act is the primary sector-specific law. It implements and incorporates a general regulatory framework which is relevant to e-commerce, including liability rules and information duties (both rooted in the EU E-Commerce Directive (2000/31/EC)) and certain commercial practices. The Act on Unfair Commercial Practices is of utmost importance to marketing. Audiovisual media services and a broad variety of online platforms are governed by state treaties (eg, the State Treaty on Broadcasting), which is currently under revision to become the Media State Treaty. Other important legislation includes consumer protection law and a variety of product and service-specific regulations (eg, financial service, insurance and product distribution legislation) and the EU General Data Protection Regulation.

Regulatory bodies

Which regulatory bodies are responsible for the regulation of e-commerce, data protection and internet access tariffs and charges?

There are no authorities or public administrative bodies with specific power to regulate e-commerce. Rather, the authorities that oversee specific sectors regulate unlawful conduct within their respective legal remit; most notably through the federal media authorities, federal data protection authorities and the Bundesnetzagentur for telecoms and access tariffs.

Extensive regulatory activity is carried out within the market itself under civil law. Privately organised bodies such as consumer protection and competition protection associations have the power to address the unlawful conduct of businesses (typically via cease and desist orders), but also to calculate damages and the skimming-off of profits. Such instances are a matter for civil litigation based on the specific acts (ie, the Law on Injunctions for Consumer Rights and Other Violations and the Act Against Unfair Competition).


What tests or rules are applied by the courts to determine the jurisdiction for internet-related transactions or disputes in cases where the defendant is resident or provides goods or services from outside the jurisdiction?

Due to the ubiquity rules, the key tests are based on the EU Rome I Regulation (593/2008), the EU Rome II Regulation (864/2007) and the EU Brussels Regulation (44/2001). The test is typically whether a certain activity was aimed at the German market or its participants. Within the European Union this may be subject to certain (but limited) sector-specific country of origin principles.

Establishing a business

What regulatory and procedural requirements govern the establishment of digital businesses in your jurisdiction? To what extent do these requirements and procedures differ from those governing the establishment of brick-and-mortar businesses?

The rules for establishing an online business are not substantially different from those for brick-and-mortar businesses. A general business permit or sector-specific licence (eg, for financial services or linear broadcasting activities) may be required depending on the place of establishment. Such requirements may be subject to exemptions based on EU freedom of service rules (eg, by allowing passporting or relying on licences from other EU or EEA member states).

Contracting on the internet

Contract formation

Is it possible to form and conclude contracts electronically? If so, how are contracts formed on the internet? Explain whether ‘click wrap’ contracts are enforceable, and if so, what requirements need to be met?

The validity of electronic contracts is based on the same principles as contracts in general. A contract is created where one party makes an offer and another party accepts it. Actual activity is needed to express the declaration of will to contract. Click-wrap contracts are a common standard. Further, consumer contracts have formal requirements for due formation (ie, the so-called ‘button solution’ under the EU Consumer Rights Directive (2011/83/EU)) – and general terms and conditions can be duly noted before the contracting process is agreed to apply.

Applicable laws

Are there any particular laws that govern contracting on the internet? Do these distinguish between business-to-consumer and business-to-business contracts?

Section 145 et seq of the Civil Code applies to the offer and acceptance of contracts, while general civil law applies to the termination, rescission and voiding of contracts. Standard terms and conditions apply for business-to-customer contracts, while business-to-business contracts may be subject to laws on unfair commercial terms under Section 305 et seq of the Civil Code.

Electronic signatures

How does the law recognise or define digital or e-signatures?

In general, there is freedom regarding the type of contract that can be used, including digital contracts or e-signatures. However, certain types of contract per statute require a specific form. These requirements are typically tied to specific types of transaction with a high impact (eg, acquiring shares in companies or purchasing property). If the form requirement is not met, a contract will be deemed invalid.

Where statutory law requires a specific form of contract (eg, written or notarial), electronic contracts will generally be considered invalid. However, a statutory written contract requirement can be replaced by certain electronic means (eg, the qualified electronic signature under Section 126a of the Civil Code), unless not explicitly prohibited by law. The technical requirements for a qualified electronic signature are set out in the EU Regulation on Electronic Identification (910/2014) and the Trust Service Provider Act.

Data retention

Are there any data retention or software legacy requirements in relation to the formation of electronic contracts?

The data retention rules for bookkeeping, merchant due diligence and tax regulations for commercial transactions generally apply to the formation of contracts. However, specific technical requirements for storing and accessing electronic contracts may have to be fulfilled (see the Principles for the Proper Management and Retention of Books, Records and Electronic Records and for Data Access, set out by the German tax authorities and applicable to business establishments), which can cover online business activities in some circumstances.


Are any special remedies available for the breach of electronic contracts?

No such special remedies are available.


Security measures

What measures must be taken by companies or ISPs to guarantee the security of internet transactions? Is encryption mandatory?

Companies must protect personal data under the EU General Data Protection Regulation (GDPR). This also applies to online transactions. Encryption is not mandatory, but is considered a suitable security measure under Article 32 of the GDPR.

In addition, internet or telecom service providers (eg, internet service providers) must take appropriate measures to protect against potential disruptions (Section 13(7) of the Telemedia Act and Section 109 of the Telecoms Act).

Security measures must consider the state of the art (ie, security requirements must adapt to technological progress). However, German law specifies details regarding encryption algorithms and key lengths.

Government intervention and certification authorities

As regards encrypted communications, can any authorities require private keys to be made available? Are certification authorities permitted? Are they regulated and are there any laws as to their liability?

No authority can require users to reveal private keys used for encrypted communications. However, certification authorities are permitted and their operation is regulated by the EU Regulation on Electronic Identification (910/2014) and the Trust Services Act. Liability is regulated by Articles 11 and 13 of the EU Regulation on Electronic Identification. If a trust service provider contracts with third parties, liability is increased (Section 6 of the Trust Services Act).

Electronic payments

Are there any rules, restrictions or other relevant considerations regarding the use of electronic payment systems in your jurisdiction?

In addition to the framework that the EU Payment Services Directive (2015/2366/EC) (PSD II) introduced, German case law maintains that merchants must offer at least one means of payment to consumers at no cost which is widely available and reasonable for the consumer to use. Therefore, at least one of the payment methods offered to consumers for goods and services by an online business must have these features.

Are there any rules or restrictions on the use of digital currencies?

Apart from PSD II, there are no specific rules or restrictions on the use of digital currencies as a means of payment. However, a licence may be required to trade in digital currencies. Further, it is unclear whether loyalty programmes qualify as digital currencies in certain circumstances, which may give rise to the application of the respective regulatory framework and its various complexities.

Domain names

Registration procedures

What procedures are in place to regulate the licensing of domain names? Is it possible to register a country-specific domain name without being a resident in the country?

Certain registries are responsible for allocating second-level domain names under top-level domain names. DENIC is the registry responsible for the registration of the geographical top-level domain ‘.de’. DENIC will register a domain name if it meets the registration requirements set out in its guidelines and the name has not already been registered by a third party. Domain name holders have a transferable right of use under their contract with DENIC. To transfer a ‘.de’ domain name, a document containing the details of the parties, the domain name and the fee is sufficient.

Country-specific domain names can be registered without being resident in Germany.


Do domain names confer any additional rights beyond the rights that naturally vest in the domain name?

In certain circumstances, domain name holders can take action against conflicting trademarks or other signs belonging to third parties that have seniority by referring to their ownership of the identical or similar second-level domain name. However, the second-level domain name must represent a company sign pursuant to Section 5(2) of the Trademark Act.

Trademark ownership

Will ownership of a trademark assist in challenging a ‘pirate’ registration of a similar domain name?

Yes, the owner of a trademark can take action against a conflicting (ie, identical or similar) domain name. However, such an action is usually possible only if the relevant goods and services are offered on a domain name which is identical or similar to the goods and services protected by the relevant trademark. An exception applies only if the trademark has a reputation or is well known in Germany. As a rule, only injunctive relief can be demanded; a claim to transfer the domain exists only in exceptional cases.

Dispute resolution

How are domain name disputes resolved in your jurisdiction?

Domain name disputes can be settled in or out of court (although the former occurs much less frequently in practice). If a claim is made against the use of a ‘.de’ domain name, no alternative dispute resolution mechanism is available. Rather, the procedure is generally based on German trademark and procedural law. The domain name holder will be contacted through an authorisation request or receive an immediate warning (ie, they will be notified of the infringement and asked to submit a cease and desist declaration). If an out-of-court settlement fails, the domain name dispute must be settled in court.



What rules govern advertising on the internet?

Online advertising must comply with the Act on Unfair Commercial Practices, which regulates the market behaviour of companies. Under the act, causing  ‘unacceptable nuisance’ to market participants is illegal. Advertising that uses a medium suited to distance marketing through which a consumer is persistently solicited (even when they have objected to being contacted) is considered an unacceptable nuisance. The following types of ads are also deemed unacceptable nuisances under the act:  

  • ads in which the identity of the party on whose behalf the communication is transmitted is concealed or kept secret;
  • ads that violate Section 6(1) of the Telemedia Act;
  • ads that prompt recipients to visit a website that violates Section 6(1); or
  • ads that provide no valid address to which recipients can request that no further messages of that nature are sent without incurring transmission costs pursuant to the basic rates.

This means that advertising must always be labelled as such. If AdWords, banners and pop-ups are used, they must disclose correctly their commercial character and may need to be appropriately labelled. Influencer marketing and viral marketing (eg, refer-a-friend schemes) should not be used as surreptitious advertising. Electronically supported refer-a-friend schemes have been extensively restricted in recent case law.

Digital businesses must also comply with data protection laws and the Telemedia Act. This applies in particular to tracking for advertising purposes, retargeting the analysis of cookies and the use of ‘like’ buttons and Facebook custom audiences. It is common for consumer consent to be obtained in order for data processing to be lawful. In addition, consumers must always be informed of the aims of data processing.

The same laws apply to online and print advertising (eg, copyright, personal and publicity rights or information obligations regarding guarantees under the Civil Code, the Battery Act or the Electrical Act).

The Advertising Council is a self-regulatory body which can intervene when ethical or moral limits are exceeded. However, in practice, competitors and consumer interest groups pursue their claims to ensure that the law is respected.


How is online advertising defined? Could online editorial content be caught by the rules governing advertising?

There is no standard legal definition of ‘online advertising’. The Act on Unfair Commercial Practices and the EU Misleading and Comparative Advertising Directive (2006/114/EC) define ‘advertising’ as any statement made in the course of trade, business, craft or professional activity to promote the sale of goods or the provision of services.

Under German law, editorial content must be strictly separated from advertising (the ‘separation requirement’). Editorial content differs from advertising by its objective, neutral and truthful character. The benchmark for the assessment of these features is the average consumer. Advertisers must label advertising as such.

Misleading advertising

Are there rules against misleading online advertising?

Misleading advertising is governed by the Unfair Competition Act. Advertising is considered misleading if it contains untrue or misleading information. However, advanced proof confirming advertising statements is required only in court proceedings, which must be subject to high standards. If studies are provided as evidence, they must be carried out and evaluated according to recognised scientific rules and principles.

In some cases, industry-specific regulations exist that are applicable in addition to the Unfair Competition Act. For example, scientific evidence is required under the Therapeutic Products Advertising Act for advertising claims whose alleged therapeutic efficacy is disputed by experts or for advertisers without scientifically substantiated research results.


Are there any products or services that may not be advertised on the internet?

In principle, any products can be offered online. However, various sector or product-specific laws must be observed. Specific rules apply to almost all industries (eg, the tobacco, alcohol, food, electronic product, chemical, cosmetics and textiles industries) and, as a result, businesses looking to sell products online should ensure that their ads comply with such rules.

Hosting liability

What is the liability of content providers and parties that merely host the content, such as ISPs? Can any other parties be liable?

Under Section 7(1) of the Telemedia Act, content providers are responsible for only their own content. Hosting providers are generally not responsible for content and it would be unreasonable to expect them to check all hosted content. However, under Section 10 of the act, once an infringement has been reported, the host provider must block the infringing content and prevent similar infringements.

Website hosting services and other media providers are fully responsible for their own content. They are also responsible for third-party content (eg, user-generated content) and liable for links to illegal content, at least when they become aware that the content is illegal.

Financial services


Is the advertising or selling of financial services products to consumers or to businesses via the internet regulated, and, if so, by whom and how?

The Federal Financial Supervisory Authority regulates the advertising and selling of financial services. Consumer protection associations may also seek to enforce market behaviour rules and unfair consumer terms where consumer interests are affected.


ISP liability

Are ISPs liable for content displayed on their sites? How can ISPs limit or exclude liability?

If content providers host third-party content (hosting providers) or provide access to, convey or buffer data to improve the efficiency of its transportation (access providers), they are generally not responsible for such content.

Websites and other media providers are responsible for their own content unreservedly as well as for third-party content which they appropriate (eg, if a website provider exploits user-generated content which it has reviewed for completeness and accuracy or demands to be granted the right of use over user-generated content). Content providers are also liable for links to illegal content at least when they become aware that the content is illegal.

Wireless network providers may also be liable for the infringement of IP rights if there are no other effective means to stop the infringement.

Liability for original or appropriated content cannot be limited by a disclaimer. A blanket dissociation from linked content is also ineffective and could increase liability if it is too extensive.

The exclusion or limitation of liability is possible only by contract, typically through the inclusion of respective general terms and conditions in a website’s contract of use. However, such contracts generally require that users actively agree to their terms and conditions. Further, according to legal provisions that regulate terms and conditions, such an exclusion or limitation may be invalid in certain circumstances.

Shutdown and takedown

Can an ISP shut down a web page containing defamatory material without court authorisation?

ISPs can generally remove defamatory or infringing content without permission if it is established that the content is illegal except where the content is protected by the privacy afforded to telecoms.

Intellectual property

Third-party links, content and licences

Can a website owner link to third-party websites without permission?

A simple link to a third-party website does not infringe copyright or competition law nor require permission if the content is public and unprotected (ie, not behind a paywall). Hyperlinks do not reproduce linked content, but rather provide simple access to it.

Direct external links (deep links), which are not marked or cannot be identified as such and thus give the impression that linked content originates from their own website, are an exception to this rule.

Can a website owner use third-party content on its website without permission from the third-party content provider? Could the potential consequences be civil in nature as well as criminal or regulatory?

Open content can be used on websites without express permission by third-party content providers if the user complies with the terms of the licence in question (eg, Creative Commons).

The use of content protected by unlicensed IP rights may lead to legal action by the rights holder. The rights holder will usually send a cease and desist letter. There is no immediate fine associated with receiving a cease and desist letter. The only monies to be paid initially are the rights holder’s legal or administrative fees before any court proceedings. A cease and desist letter usually requests the recipient to:

  • cease the infringing action; and
  • sign an undertaking promising to pay a contractual penalty in case of culpable infringement with a penalty clause.

If a website owner signs an undertaking and pays the legal costs involved (usually between €300 and €2,000), complaints will most likely not result in a court action as the claim will lose its substance. If a website owner signs a cease and desist declaration with a penalty clause but continues the infringing action, the contractual penalty or an amount established by the courts (typically €5,000 for the first infringement depending on the infringement’s scope, impact and gravity) is due and payable to the contracting partner. If a website owner refuses to sign a cease and desist declaration, the rights holder can file for an interim injunction at a competent court.

The courts may grant a cease and desist injunction and an obligation to pay a penalty for any future infringements. Rights holders may also claim damages suffered for the use of their intellectual property without a valid licence, which are calculated through a licence fee analogy. In addition, rights holders may make claims for information, which are burdensome in practice.

Intentional IP infringement can result in three years’ imprisonment.

Can a website owner exploit the software used for a website by licensing the software to third parties?

Software used to create websites is protected by copyright if it constitutes a personal intellectual creation and exceeds a certain threshold of originality. However, the reproduction of a website is not protected under German copyright law per se. Websites as a whole are protected only if they can be seen as personal intellectual creations. However, extended ancillary copyright can be enforced under competition law if the exploitation of a website infringes the rules of fair competition.

Are any liabilities incurred by links to third-party websites?

Liabilities through links to third-party websites may be incurred if the linked content is infringing. The party that links to the infringing content may be held liable where there is knowledge of the facts of the case and their illegality or if the party linking the content should have known that the links provided access to unauthorised published work. In particular, this is the case if the rights holder has notified the operator of the linking website. The European Court of Justice (ECJ) imposes stricter requirements on commercial users for the linking of content (8 September 2016, C-160/15). According to the ECJ, if a link is placed with the aim of making a profit, it can be expected that the party placing the link will have conducted the necessary investigation to ensure that the original work has been published in a legally compliant manner on the linked website. According to the ECJ, if there is a presumption of bad faith, the linking party must prove that they have fulfilled their duty to investigate the linked content.

Video content

Is video content online regulated in the same way as TV content or is there a separate regime?

Online video content falls under the Telemedia Act, which sets out minimum advertising requirements. Further, online video content can be subject to the Interstate Broadcasting Treaty (RStV) – in particular, the rules on advertising and labelling requirements – if it is ‘TV like’ and provided on demand (eg, videos on Instagram do not fall under the RStV, but on-demand videos do).

Unlike terrestrial television, online video streams do not require a broadcasting licence, with the exception of online content available that is available all the time (eg, Twitch), which qualifies as a broadcast and as such requires a licence under the RStV.

IP rights enforcement and remedies

Do authorities have the power to carry out dawn raids and issue freezing injunctions in connection with IP infringement?

The criminal justice authorities can order freezing injunctions, the search of premises and the seizure of evidence as part of criminal investigation proceedings in connection with IP infringements.

However, measures conducted by Customs, in particular border seizure procedures, are of great practical importance.

What civil remedies are available to IP owners? Do they include search orders and freezing injunctions?

Civil remedies include claims for injunctive relief, removal and damages. Injunctive relief is often granted on an interim basis by a preliminary injunction, which can be issued ex parte within a few days after filing. German law also provides for a legal instrument (arrest) comparable to freezing orders under UK law where there is real likelihood of assets leaving the country. However, this remedy is rarely applied in IP litigation.

Further, rights holders are provided with remedies to prevent any difficulties with gathering evidence. IP rights holders can request information on the provenance and distribution channels of infringing goods and the submission of documents provided that there is a reasonable likelihood of infringement.

Data protection and privacy

Definition of ‘personal data’

How does the law in your jurisdiction define ‘personal data’?

The term ‘personal data’ is defined in the EU General Data Protection Regulation (GDPR) as any information relating to an identified or identifiable natural person. An identifiable natural person is someone who can be identified, directly or indirectly, by reference to an identifier such as a name, an ID number, location data, an online identifier or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. Beyond that, sensitive data (ie, personal data that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or health conditions) occupy a special position. The processing of sensitive data is permitted only under certain conditions.

Registration requirements

Do parties involved in the processing of personal data, such as website owners, have to register with any regulator to process personal data?

Data controllers do not have to register with a regulator. However, they must designate a data protection officer if they employ at least 10 people who deal with the automated processing of personal data. The supervisory authority must be notified of the data protection officer’s identity.

Cross-border issues

Could data protection laws and regulatory powers apply to organisations or individuals resident outside of the jurisdiction?

Yes, the GDPR applies to the processing of personal data of data subjects in the European Union by a controller or processor based outside the European Union where such processing concerns:

  • the offering of goods or services, irrespective of whether a payment is required; or
  • the monitoring of the behaviour of data subjects that takes place in the European Union.
Customer consent

Is personal data processed on the basis of customer consent or other grounds? What is the commonly adopted mechanism for obtaining customer consent or establishing the other grounds for processing?

Personal data can be processed on the basis of statutory justifications or consent. Statutory justifications apply, in particular, if the processing of data is required:

  • to perform a contract to which the data subject is party;
  • to comply with a legal obligation; or
  • for a legitimate interest.

Consent must be given transparently, voluntarily and knowingly (ie, an opt-in) and data subjects must be adequately provided with sufficient information about the revocability of said consent.

Sale of data to third parties

May a party involved in the processing of personal data, such as a website provider, sell personal data to third parties, such as personal data about website users?

There are no specific rules in Germany on the sale of personal data. The GDPR does not permit the sale of data to a third party (data transfer). Licensing data requires a legal basis for data processing. Consent might work, but the debate is ongoing about the legitimate sale of data (eg, as part of an M&A asset deal), if certain requirements are met. Parties must ensure that they do not violate the GDPR.

Customer profiling

If a website owner is intending to profile its customer base to carry out targeted advertising on its website or other websites visited by its customers, is this regulated in your jurisdiction?

Customer profiling for personalised advertising requires the data subject’s consent almost without exception. Consent must be given transparently, voluntarily and knowingly (ie, an opt-in) and data subjects must be provided with sufficient information about the revocability of said consent.

Profiling on the basis of legitimate interests is theoretically not excluded and depends on the individual case, which could make consent unnecessary. However, the competent authorities view profiling for advertising purposes unfavourably and a lack of consent involves significant risk.

Data breach and cybersecurity

Does your jurisdiction have data breach notification or other cybersecurity laws specific to e-commerce?

The GDPR’s general rules on data breach notification also apply to e-commerce, in particular:

  • Article 4 (which defines ‘data breaches’ and ‘personal data’);
  • Article 32 (which sets out IT security rules);
  • Articles 33 and 34 (which set out the rules on notifications of personal data breaches);
  • Article 82 (which covers damages claims for affected data subjects); and
  • Article 83 (which imposes fines for the infringement of applicable rules).

Further, the Federal Data Protection Law must also be complied with, in particular:

  • Section 29 (which sets out data controllers’ notification duties);
  • Section 64 (which provides a list of required technical and organisational measures that must be implemented to ensure data processing security); and
  • Section 83 (implementing data subjects’ rights to claim immaterial damages in addition to other damages and regulatory fines).

Data breaches must be reported where there is a risk that a member of an external or internal organisation has gained unauthorised access to the personal data of an EU citizen. Data controllers or processors must examine the incident and its potential consequences.

Unauthorised access to personal data must be notified to the relevant supervisory authorities unless the specific risks have been excluded (eg, through encryption). Notification must take place within 72 hours of the data breach being discovered and must provide concrete information and additional details of the incident and the countermeasures taken.

Further, if there is a high risk to the rights and freedoms of natural persons (eg, financial and social harm, identity theft or professional secrecy), data controllers must inform the persons concerned immediately unless technical protection against the risks is provided (eg, encryption). The supervisory authority may order the publication of a public notification of a data breach.

A breach of reporting obligations following a data breach can be punished with a fine of up to €10 million or 2% of the infringer’s worldwide annual turnover. Further, data subjects affected by a data breach can claim material and immaterial damages due to a data controller’s failure to report the breach to the regulators in a timely manner and inform the data subjects.

With regard to cybersecurity, German law places particular obligations on providers of information services (eg, website providers, online platforms and app providers). Section 13(7) of the Telemedia Act requires “state of the art cybersecurity means” to be implemented, such as encryption or certified authentication functionalities.

What precautionary measures should be taken to avoid data breaches and ensure cybersecurity?

According to Section 13(7) of the Telemedia Act, e-commerce providers must implement “state of the art cybersecurity means” such as encryption or certified authentication functionalities. As of 14 September 2019, two-factor authentication is recommended as a minimum authentication for online payments (a mandatory legal obligation has been postponed). In particular, providers must implement protection against unwanted access to their services (eg, by installing all available updates and patches to software and implementing two-factor authentication, encryption and active security management such as ISO 27001). Providers must also ensure availability of their services and data by way of regular backups or redundant infrastructure.

The required minimum level of cybersecurity will be tested against technically available and economically feasible means. This involves an individual review of the provider’s financial capacities, the relevance of the relevant service to the online marketplace and the sensitivity of the data handled. Failure to implement the required and feasible level of cybersecurity for online services will lead to fines of up to €50,000 and indirect damages being paid to the affected users.

Under the GDPR’s data security rules, the handling of personal data should follow the principles of privacy by design and by default. This means that data which will not be processed should not be handled or stored. Further, data processing activities must respect and specifically protect the privacy of users’ personal data.


Is cybersecurity insurance available and commonly purchased?

Cybersecurity insurance is available on the German market and is becoming increasingly popular as CEOs realise the economic risk attached to cybersecurity. Under German law, the management of a company is personally liable for the adequate management of potential risks to a company, including cyber risk. Thus, managers should seek to insure against such challenges.

Cyber insurance typically covers first-party damages (eg, loss of digital content, business continuity failure or reputational damage) and third-party damage (eg, damages paid to affected individuals, forensic and legal cost relating to handling the breach or in some cases even fines). However, insurance policies will often try to exclude the recovery of fines – in particular, when a company cannot prove that it did not act in bad faith. In some cases, insurers have argued that a warfare exception should apply, as cyberattacks should be seen as part of cyberwarfare (eg, acts of state-financed hacking involving foreign intelligence).

The German courts are still reluctant (compared with, for example, the US courts) to grant a large amount of damages. Therefore, the need for insurance in this context is limited. Further, additional means of recovery such as offering free credit monitoring services to affected customers are uncommon, as they are allowed only in limited circumstances.

Ransomware and blackmailing through attacks on IT infrastructure are also major causes of concern. When companies face serious disruption to their production and business with third-party customers, they may be willing to pay whatever ransom it takes to free up their IT infrastructure. For the German courts, the payment of a ransom constitutes unlawful assistance of a criminal act and the paying company and its managers may face serious criminal charges. This is why ransomware attacks need to be handled quickly and effectively by experienced reaction teams with predefined and pretested reaction plans. Insurers will be unable or unwilling to cover such criminal charges.

Insurers have failed to implement a pricing mechanism that refers to pre-certified or pre-examined levels of cyber protection. This could be due to the lack of statistical data relating to cyberattacks in the past, which is why respective pricing models will be developed when more data is available.

Right to be forgotten

Does your jurisdiction recognise or regulate the ‘right to be forgotten’?

The ‘right to be forgotten’ is a statutory right under Article 17 of the Data Protection Act, which transposes the GDPR into German law. The lawful processing of personal data may be the subject of a cancellation claim at a later stage if the reasons for such a claim are deemed to be concrete. The European Court of Justice’s 2014 decision that in certain circumstances, a search engine operator can be forced to remove personal data also constituted a landmark judgment in Germany.

Email marketing

What regulations and guidance are there for email and other distance marketing?

Advertising via an automated calling machine, fax machine or email requires the recipient’s prior express consent (Section 7(2)(3) of the Act Against Unfair Competition). This requirement applies regardless of whether the recipient is a consumer or another market participant. The consent of an email recipient should be verified through a double opt-in. Email marketing without consent is permitted only in an existing customer relationship if certain conditions are met (Section 7(3) of the Act Against Unfair Competition). Neither the sender nor commercial character of messages can be concealed (Section 6 of the Telemedia Act). In addition, the requirements of the GDPR must be met.

Consumer rights

What rights and remedies do individuals have in relation to the processing of their personal data? Are these rights limited to citizens or do they extend to foreign individuals?

With regard to the processing of their personal data, under Articles 13 to 22 of the GDPR, individuals have the right to:

  • information thereon;
  • access thereto;
  • the rectification thereof;
  • the erasure thereof;
  • restrict the processing thereof;
  • data portability thereof; and
  • object and not to be subject to a decision based solely on automated processing.

Damages that result from a GDPR infringement must be compensated (Article 82 of the GDPR).

These individual rights must be complied with by EU-based data controllers or processors regardless of the nationality of the data subject or where the data is processed. The GDPR applies to all individuals in the European Union to whom products or services are offered.


Online sales

Is the sale of online products subject to taxation?

For online sales (e-commerce), the decisive factor with regard to taxation is whether the sales process is carried out online (ie, both the ordering and delivery of the item) or whether only the order is placed online and delivery is carried out in a conventional way. In the first case, online sales fall within the scope of  Section 3a(4)(14) of the VAT Act, while the second example is considered part of the normal mail order industry (offline sales).

Both types of sale are subject to taxation. Downloading software is considered an electronic service carried out at the place of residence of a private person in an EU country and is subject to VAT according to local law (Section 3a(5) of the VAT Act). Accordingly, a German citizen who downloads a product from a server in another EU country is subject to German VAT.

Server placement

What tax liabilities ensue from placing servers outside operators’ home jurisdictions? Does the placing of servers within a jurisdiction by a company incorporated outside the jurisdiction expose that company to local taxes?

A server is considered a permanent establishment which is taxable in the jurisdiction where it is located if it performs "significant and essential" functions or functions that are key to an entity's operations. The tax authorities must determine whether a server carries out subordinate or auxiliary activities.

Company registration

When and where should companies register for VAT or other sales taxes? How are domestic internet sales taxed?

As of 1 January 2015, the European Union's VAT Mini-One-Stop-Shop scheme has been available in all EU member states for online sales (see ‘Online sales’) of telecoms, radio, television or electronic services in another EU member state. Companies can declare tax on their electronically supplied services in another EU member state centrally through the competent office in their home country and pay the tax in full.

If a trader does not use the Mini-One-Stop-Shop scheme, online purchases from another EU member state must also be taxed in that state, as the so-called ‘consumer country principle’ applies. The online retailer must also register in the relevant countries (eg, the Federal Central Office for Taxes).


If an offshore company is used to supply goods over the internet, how will returns be treated for tax purposes? What transfer-pricing problems might arise from customers returning goods to an onshore retail outlet of an offshore company set up to supply the goods?

Goods returned in exchange for a refund will lead to a refund of the import sales tax if the return is made within three years.

If a customer returns goods to an onshore retail outlet, the customer will be refunded the full price. However, the company remains burdened with the import sales tax.



Is it permissible to operate an online betting or gaming business from the jurisdiction?

In Germany, the state has a monopoly on gambling, including online betting and gaming businesses. Gambling is heavily regulated under the State Treaty on Gambling, which stipulates a multitude of prohibitions and requirements for the acquisition of an official licence, but betting or gambling for free or without a wager is not regulated. Once an official licence has been acquired, online betting or gaming businesses can be operated from Germany.

Are residents permitted to use online casinos and betting websites? Is any regulatory consent or age, credit or other verification required?

German residents can use properly licensed online casinos and betting websites when they are 18 years old or above. Business operators must take specific steps to enforce this age requirement. Failure to meet this requirement can result in penalties being imposed on operators and participants. Notably, Germany’s gambling monopoly does not correspond with EU legislation and is keenly disputed. A gradual change in German legislation to comply with EU alignment efforts is expected.


Key legal and tax issues

What are the key legal and tax issues relevant in considering the provision of services on an outsourced basis?

It is important to define the exact scope of outsourced services and their quality. Quality is generally specified in a service level agreement. Conversely, the agreement must contain specific provisions on customer cooperation obligations. Other key issues include provisions regarding the migration of data and the cooperation of service providers following the termination of a contract in order to switch to a new service provider.

Employee rights

What are the rights of employees who previously carried out services that have been outsourced? Is there any right to consultation or compensation, and do the rules apply to all employees within the jurisdiction?

Where an operation or part of an operation is transferred to a service provider, the employment contracts of the relevant employees are also transferred to the service provider by power of law. The employees must be informed in advance and have the right to object to the transfer of their employment.

Online publishing

Content liability

When would a website provider be liable for mistakes in information that it provides online? Can it avoid liability? Is it required or advised to post any notices in this regard?

The liability for mistakes in information is identical for online and offline publication. If incorrect information is of a commercial nature it may constitute a violation of the Act Against Unfair Competition. Statements that contain untrue factual claims can also constitute a violation of personal rights.

Liability for personal or appropriated content cannot be limited unilaterally (eg, by a disclaimer). A blanket dissociation to linked content is also ineffective; if such a disclaimer is too extensive, it may even increase liability. Liability is subject to various factors, including licence terms and factual control, whether content is ‘appropriated’ or remains third-party content (which has less stringent liability rules).

Websites and other media providers are responsible for their own content in accordance with the law, without restrictions. They are also responsible for third-party (eg, user-generated) content that they appropriate (eg, if a website provider exploits user-generated content after reviewing it for completeness and accuracy or demands to be granted the right of use of user-generated content).


If a website provider includes databases on its site, can it stop other people from using or reproducing data from those databases?

In principle, databases and compilations can be protected under German copyright law if the selection or arrangement of the individual elements constitutes a personal intellectual creation. However, the purely technical, schematic or routine selection or arrangement of data is not sufficient for protection. Further, the simple sequencing of data does not constitute a personal intellectual creation.

Databases that do not constitute a personal intellectual creation enjoy minor protection if the database enjoyed a large capital investment. However, this protection covers only the database in its entirety or substantial parts of it for 15 years after its creation.

Rights holders can stop other people from using their protected databases by means of notices (cease and desist letters). If an infringing party refuses to sign a cease and desist declaration, the rights holder may file for an interim injunction at a competent court. The court may grant an injunction with a cease and desist injunction combined with an obligation to pay a penalty for future infringements. Rights holders may also claim damages (calculated using a licence fee analogy) for infringing use of their database without a valid licence. Further, rights holders may assert claims for information; however, they are burdensome in practice.

Rights holders can protect works using technological measures pursuant to Section 95(a) et seq of the Copyright Act. ‘Technological measures’ are technologies, devices and components which, in the normal course of their operation, are designed to prevent or restrict unauthorised acts concerning protected works or other subject matter protected pursuant to the Copyright Act (eg, encryption technologies, filter systems, digital rights management systems and geo-blocking measures). Section 95(a) of the Copyright Act prohibits the circumvention of technological measures and corresponding preparatory and support actions.

Dispute resolution


Are there any specialist courts or other venues in your jurisdiction that deal with online/digital issues and disputes?

There are no such specialist courts.


What alternative dispute resolution (ADR) methods are available for online/digital disputes? How common is ADR for online/digital disputes in your jurisdiction?

If goods or services are sold online to consumers, the merchant can use the European Commission’s online dispute resolution platform. Merchants must inform consumers of whether they are willing to use the platform before completing a contract. However, alternative dispute resolution is rare in Germany, although certain sector-specific initiatives exist.

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in e-Commerce regulation in the jurisdiction? Is there any pending legislation that is likely to have consequences for e-Commerce and internet-related business?(EU JURISDICTIONS ONLY: How do you anticipate the General Data Protection Regulation and the e-Privacy Regulation will impact e-commerce?)

EU Directive 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services and EU Regulation 2019/1150 on promoting fairness and transparency for business users of online intermediation services will have consequences for e-commerce and internet-related business in Germany. A ‘New Deal for Consumers’ is also expected by the end of 2019, which will introduce comprehensive consumer protection rules in similar sectors.

Further, it seems that an EU Digital Services Act could replace the EU E-commerce Directive (2000/31/EC) and provide uniform rules for the removal of illegal content and future-proof liability provisions. According to rumours, the European Commission is also considering setting up its own authority to regulate online services such as Google and Facebook.

Law stated date

Correct on

Give the date on which the information above is accurate.

10 October 2019.