The GDPR has been in force as the European standard for data protection since May 25, 2018. However, there are still some shortcomings, especially in the enforcement of the GDPR by German authorities.

Find out here what five shortcomings still exist in German data protection after five years of the GDPR.

1. handling complaints on the basis of the GDPR

Even if Ireland comes to mind when people hear the phrase "inactive data protection authorities," Germany is not a prime example in this area either. The authorities still have a long way to go before they get a grip on tracking on websites and in apps.

If one traces this grievance further back, however, one quickly realizes that in Germany there is usually already a lack of processing submitted complaints at all. This is particularly noticeable in North Rhine-Westphalia: Of the complaints submitted by the data protection organization noyb (none of your business) by the Austrian Max Schrems in recent years, only one of the 29 pieces in NRW has actually been completed. In some cases, there was not even a response from the authorities. The subject of complaints are often large websites.

The authorities themselves admit that they can only proceed on a random basis. The main reason for this is a lack of capacity. Data protection officers who submit several complaints to an authority are often told that a limit has been reached and that further complaints from the same complainant will no longer be processed. Whether these are "minor" or major violations, the responsible authority then also no longer pays any attention.

2. fines according to DSGVO

If one looks at the complaints actually pursued, it also quickly becomes clear that the fines are relatively low.

The data protection organization noyb (none of your business) also criticizes the fact that the reasons for the decision cannot be identified. Unlike many other member states, German data protection authorities do not publish their decisions. This means that fines imposed cannot have any deterrent or general preventive effect.

3. still many tracking violations

In the five years of the GDPR, media portals in particular have been a big problem, as they make a living in many places from using behavioral advertising.

Even though there has already been some progress here thanks to the intensive supervision by the German data protection authorities, there are still many abuses in tracking. Analytics tracking, misleading cookie banners and data transfers to unsafe third countries are still too common.

With regard to consents obtained, however, there is still some legal uncertainty here, which has recently been somewhat defused by the TTDSG.

4. no standardization and automation in the enforcement of the GDPR

One big question is how the data protection authorities will now find their way out of the overload. Bettina Gayk, the State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia, sees no room for maneuver when it comes to fines, since the legal situation is not precise enough. "But it would be possible to search more intensively for standard tracking violations on one's own initiative, but this would only be possible within the framework of free working capacities."

In this regard, federal states such as Baden-Württemberg are already using their own inspection tools to process many violations quickly and in a standardized manner in an automated manner. Such an approach can speed up enforcement, but it does not eliminate the problem that the use of unauthorized analytics tracking requires only a few clicks, while authorities usually take years to enforce removal via pages of briefs and statements.

The authorities still lack clear guidelines and templates on how to handle a procedure as quickly and effectively as possible.

5. counseling instead of punishment

Most of the federal states also make an effort to resolve complaints with the companies amicably at first. Counseling sessions and lectures are held and information material is handed out instead of imposing penalties.

The data protection organization noyb (none of your business) criticizes that companies would learn that they always get a second chance. Deterrent effects would be sought in vain here.

In some cases, this approach goes so far as to accuse individual German states of wanting to improve their quality as a business location by handling data protection.


Even after five years of the GDPR, there is still a considerable list of deficiencies in implementation and enforcement in Germany. Establishing standardized data protection thus remains an ongoing process.

As a personal summary of the last five years, Max Schrems said that the law worked, but its application did not.

DSB buchen