Guide to Germany’s Telecommunications and Telemedia Data Protection Act (TTDSG)

In this guide:

  1. Overview of Germany’s TTDSG
  2. Guide your organization to compliance
  3. How Privacy Bee protects your business

Overview of Germany’s Telecommunications & Telemedia Data Protection Act (TTDSG)

The German Federal Act on Privacy in Telecommunications and Telemedia, or Telekommunikation-Telemedien-Datenschutzgesetz (TTDSG), governs the privacy aspects of electronic communications and telemedia in Germany. The law specifically addresses the confidentiality and secrecy of digital communications, encompassing elements like cookie usage and data storage.

This legislation merges two existing laws, the Telemedia Act (TMG) and the Telecommunications Act (TKG), to align them with the EU’s General Data Protection Regulation (GDPR) and ePrivacy Directive, since Germany is an EU member state. That said, this is an entirely new law rather than a modification of existing ones, unlike similar legislation enacted in other EU member states.

With the implementation of the TTDSG, Germany became the final EU member state to fully adhere to EU privacy regulations and the ePrivacy Directive. However, Germany is taking additional steps by attempting to establish standards for consent management service providers, exemplified by the objectives and provisions within which are detailed below.

The primary objectives of the TTDSG are to:

  1. Strengthen user privacy and data protection: The TTDSG introduces stricter requirements for obtaining user consent for data processing, particularly for the use of cookies and other tracking technologies. It also grants users more control over their personal data and enhances their rights to access, rectify, erase, and restrict the processing of their personal data in Germany and abroad via international data transfer regulations aligning with GDPR.
  2. Harmonize data protection rules: The TTDSG aligns the data protection rules for telecommunications and telemedia services, eliminating inconsistencies and legal uncertainties that existed under the previous framework. This harmonization aims to simplify compliance for businesses and ensure a consistent level of protection for user data across both sectors.
  3. Implement EU directives: The TTDSG transposes the EU ePrivacy Directive and supplements the GDPR in the context of telecommunications and telemedia services. This ensures that German data protection law aligns with EU standards and contributes to a harmonized data protection framework across the European Union.

In order to fulfill these objectives, the TTDSG outlines specific data processing principles like purpose limitation, data minimization, accuracy of data storage, and storage limitation (in terms of how long data can be kept) along with a requirement for lawful, fair and transparent data processing practices. To back all of these principles, the TTDSG provides German consumers with the following rights, briefly mentioned previously:

  • Access and rectification: Data subjects have the right to access their personal data and request corrections.
  • Erasure (right to be forgotten): Individuals can request the deletion of their data under certain circumstances.
  • Data portability: Data subjects have the right to receive their personal data in a commonly used and machine-readable format.
  • Object/restrict processing: Individuals can object to the processing of their data in certain situations.

All of these rights help German residents and consumers better control how and by whom their own personal data is used. In addition, the TTDSG requires clear and affirmative consent from users before the processing of their personal data, particularly for the use of cookies and other tracking technologies. Consent must be freely given, specific, informed, and unambiguous, to ensure people know exactly what they’re agreeing to upfront before any data processing occurs.

The TTDSG represents a significant step forward in strengthening data protection and privacy in the digital realm. By aligning with EU standards and going above and beyond, the TTDSG harmonizes data protection rules for telecommunications and telemedia services, provides greater clarity for businesses operating in both sectors, and enhances user control over their personal data. Businesses must carefully review their data processing practices and implement appropriate measures to comply with the TTDSG’s requirements.

Source: Federal Commissioner for Data Protection and Freedom of Information

Guide your organization to compliance

If you conduct online operations involving the use of cookies and tracking technologies available and/or aimed at German consumers, then you must be aware of all TTDSG provisions. To determine if this applies to you, consider the following:

  • Are you categorized as a telecommunication or telemedia provider according to the TTDSG?
  • Is your business operational in Germany?

If the response to both queries is yes, then you and your business operations must adhere to the law. Then you must consider:

  • Do you have legitimate reasons for processing personal data?
  • Is there a legal basis supporting your personal data processing activities?
  • Do you intend to deploy cookies and tracking technologies to gather personal information from users’ devices?

A positive response to all of these questions necessitates the implementation of a consent management solution across your website to ensure you are collecting and recording user consent at the time of data processing. If uncertainties persist, it is advisable to consult with your data protection officer (DPO) or seek guidance from another data protection legislation professional.

Failure to comply can result in penalties imposed by the Data Protection and Freedom of Information (BfDI) Commissioner. Adhering to these regulations ensures you steer clear of substantial fines, which are capped at either EUR 20 million or 4% of the annual turnover, depending on which amount is higher, while allowing you to differentiate your business by building trust with consumers.

Thus, the data protection provisions outlined in the TTDSG impose significant obligations on businesses related to cookies and tracking technologies. Businesses are required to seek user permission upon their initial website visit for the processing of personal information, which is the core piece of this. As part of this, the law stipulates that an individual’s consent must be:

  1. Freely given: Users cannot be compelled to agree in exchange for access to content or other services.
  2. Specific: Each processing purpose must be independently approved by the website visitor.
  3. Informed: Businesses must inform website visitors about the processing of personal data when seeking permission.
  4. Unambiguous: Users must proactively express approval, indicated by checking consent checkboxes. Despite the initial marking being inappropriate, Planet49 faced fines for leaving them pre-checked.
  5. Easily revoked: Companies must facilitate a straightforward process for users to withdraw consent.

An exception to the cookie consent requirement exists when cookies are essential for website functionality or necessary for communication over a public telecommunications network. The law distinguishes between:

  • Essential cookies: These are indispensable for delivering telecommunications or telemedia services and do not require explicit permission.
  • Non-essential cookies: Permission is necessary for these cookies, which include Google Analytics, social media pixels, and other tracking technologies that store information but are not crucial for service provision.

In addition, the TTDSG specifies that businesses and users can engage with Personal Information Management Systems (PIMS), which serve as platforms for managing consent.

The TTDSG has significant implications for businesses operating in the telecommunications and telemedia sectors in Germany. Businesses must adapt their data processing practices to comply with the stricter consent requirements, transparency obligations, and data minimization principles. They must also implement robust data security measures and ensure that any cross-border data transfers comply with the TTDSG’s provisions.

How Privacy Bee protects your business

The safeguarding of personal data and transparent disclosures of data utilization are essential for businesses involved in online service provision in Germany today. Globally, new regulations are emerging constantly to necessitate more rigorous opt-in and opt-out protocols while affording consumers greater authority to scrutinize, modify and delete their data.

Despite the proliferation of these regulations, the primary responsibility still rests on individuals to supervise, evaluate, and request the deletion of their personal data dispersed across the internet. Managing this task across an entire operation is particularly challenging, often requiring professional assistance as it is a herculean effort for a single person or a small team. However, identifying and eliminating this data is crucial in deterring cyber threats, reducing a company’s attack surface, and mitigating the risk of a data breach.

Enter Privacy Bee as the optimal solution complementing existing cybersecurity best practices by streamlining the laborious process of monitoring and eradicating employee personal data for the entire business.

Privacy Bee not only diminishes the spread of your organization’s personal data across the expansive digital landscape but also extends its protective shield to vendors. This helps ensure that third-party partners do not become weak links in your security defenses. Even if you are already conducting risk assessments and vendor surveys, it’s essential to acknowledge that vendors are most vulnerable to breaches due to inadequate data privacy management.

In the billion-dollar surveillance industry, Data Brokers and People Search Sites play pivotal roles, profiting by trading your organization’s information with obscure entities. The consequences of private data exposure on the internet are extensive and pose significant threats when accessed by malicious hackers. Especially for highly-visible executives, the risks of doxxing and social engineering attacks is simply too high.

A single data breach can result in productivity loss, expensive remediation efforts, and recurring breach incidents. The aftermath not only affects your bottom line but also erodes brand value and customer trust over time. Privacy Bee proactively combats threats beyond your organization’s perimeters by pinpointing and swiftly purging every corner of the internet where your data resides. The service includes dark web monitoring and provides timely data breach notifications if another company falls victim, potentially exposing your information.

In our unwavering commitment, we firmly believe that privacy is an inherent human right transcending political discussions. Privacy Bee diligently monitors user data for security vulnerabilities while holding the companies misusing and abusing your data accountable. We compel Data Brokers, People Search Sites, and over 150,000 additional websites to erase stored data and opt you and your employees of further data collection.

Privacy Bee protection covers a wide range of potential threats, including:

  • Data breaches
  • Social engineering attacks
  • Doxxing
  • Identity theft
  • Spam emails
  • Telemarketing calls
  • Cyberstalking
  • Swatting
  • Blackmail

Our service is a powerful tool for business leaders who want to protect their employees’ and customers’ data. In today’s world, where privacy is more important than ever, Privacy Bee is your trusted partner in the fight to preserve personal and organizational integrity.

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account: