Germany

Germany plans to eliminate paper checks entirely by 2027, with the Bundesbank shutting down automated interbank check processing infrastructure. This regulatory change requires businesses to transition to digital payment methods like SEPA real-time transfers, which are supported by EU mandates for payment service providers.

German financial regulator BaFin led Operation Heracles, shutting down over 1,400 illegal domains in Eastern Europe linked to investment fraud. This enforcement action highlights increased regulatory scrutiny on cross-border financial crime and AI-enabled scams, signaling that firms must strengthen AML/KYC and fraud detection measures.

The German Federal Labor Court ruled that blanket paid-leave release clauses in employment contracts are unenforceable if they allow employers to place terminated employees on leave without stating reasons or balancing interests. Paid leave remains permissible with case-by-case justification and documentation, and company car revocation clauses tied to paid leave must include specific conditions and safeguards.

The German Federal Labor Court ruled that employers remain liable for compensation when job applicants are rejected based on religious headscarves, even if recruitment is outsourced to external selection companies. The court clarified that applicants need only present evidence making discrimination 'predominantly probable' (proof by indicia), shifting the burden to employers to provide full proof of non-discriminatory reasons. This enforcement action reinforces anti-discrimination obligations under the AGG and requires employers to ensure external recruiters comply with these laws.

The Bavarian data protection authority has ruled that credit reference agency CRIF illegally traded personal data with address trader Acxiom, violating GDPR principles including purpose limitation and transparency requirements. This enforcement action signals increased regulatory scrutiny of data trading practices and may lead to a general ban on data purchases from address traders in Germany.

German Data Protection Authorities have failed to decide GDPR complaints against six major political parties for illegal political microtargeting during the 2021 elections, allowing continued use of proxy targeting methods. This enforcement gap highlights ongoing non-compliance with Article 9 GDPR protections for sensitive political data, posing election integrity risks.

Acxiom is using legal maneuvers to block privacy advocacy group noyb from accessing GDPR enforcement case files, potentially delaying action against alleged violations involving data misuse for credit scoring. This highlights ongoing enforcement challenges under GDPR, including corporate resistance tactics that may prolong non-compliant data processing.

The German Federal Court of Justice (BGH) issued a landmark ruling establishing that the mere loss of control over personal data constitutes compensable damage under the GDPR, even without proof of additional harm like financial loss or misuse. This overturns previous German court practices that required tangible harm for GDPR damages claims and strengthens data subject rights enforcement in Germany.

The German Data Protection Authority of Lower Saxony (LfD) has ruled the 'Pay or Okay' model used by heise.de illegal, issuing a reprimand for violating GDPR consent requirements. This enforcement action signals increased regulatory scrutiny of consent mechanisms that force users to choose between paying or accepting extensive data processing, aligning with similar rulings in Austria and German DSK guidelines.

German political parties face GDPR enforcement actions for using Facebook microtargeting during the 2021 federal election, violating Article 9 protections for political opinions as sensitive data. This signals increased regulatory scrutiny of political data processing and microtargeting practices across Europe.

Privacy organization noyb has filed a lawsuit against German data protection authorities in North Rhine-Westphalia and Hesse for failing to act on GDPR complaints about 'Pay or OK' systems for nearly four years. This signals potential increased enforcement scrutiny of consent mechanisms that force users to choose between paying for privacy or consenting to tracking, which may violate GDPR's 'freely given' consent requirement.

The Hamburg Data Protection Authority has initiated an Article 66 GDPR urgency procedure against Meta and the Irish DPC regarding Meta's AI training practices. This enforcement action could compel Meta's lead regulator to halt AI training that uses user data without consent, signaling increased regulatory scrutiny of AI data processing under GDPR.

Privacy organization noyb has filed a complaint against German credit agency SCHUFA with the Hessian data protection authority for systematically violating GDPR Article 15 rights. The complaint alleges SCHUFA manipulates customers by hiding free data access rights, using deceptive design practices, and delaying free information delivery while promoting paid products. This enforcement action signals increased regulatory scrutiny of data subject rights compliance under GDPR.

German data protection authorities are pursuing enforcement action against WetterOnline for GDPR violations after the company refused a data subject access request, claiming 'disproportionate effort' - an argument not recognized under GDPR. This case signals increased regulatory scrutiny of data monetization practices and serves as a warning to companies processing location data.

noyb has filed a complaint against Acxiom and CRIF Bürgel for using personal data collected for direct marketing to calculate credit scores without consent, violating GDPR and German data protection laws. This enforcement action highlights increased scrutiny on data processing practices in credit scoring, affecting millions of individuals and signaling heightened regulatory pressure in the financial sector.

Germany has adopted a new Climate Protection Program with 67 measures across energy, transport, buildings, and agriculture sectors, backed by €8 billion in investments over four years. The program aims to reduce emissions by 65% by 2030 compared to 1990 levels, saving over 25 million tons of CO2 annually by 2030 through initiatives like wind power expansion, EV subsidies, and industrial decarbonization.

German federal police (BKA) have taken unprecedented emergency action in response to a critical remote code execution vulnerability (CVE-2026-4681) in PTC Windchill and FlexPLM systems. This represents a significant regulatory enforcement action signaling heightened cybersecurity scrutiny for critical infrastructure sectors, with immediate mitigation requirements for affected organizations.

Germany's financial regulator BaFin has identified shortcomings in the implementation of the Sustainable Finance Disclosure Regulation (SFDR), highlighting compliance gaps in ESG reporting. This signals increased regulatory scrutiny and potential enforcement actions for financial institutions failing to meet SFDR requirements.