Germany BDSG + GDPR: Privacy Policy Essentials for SMBs

Under the GDPR (Arts. 37–39) and Germany’s BDSG (§38), many companies must appoint a Data Protection Officer when core activities involve large-scale monitoring or when 20+ persons regularly process data. Your privacy policy should state the DPO’s contact details, oversight role, and complaint avenues (Art. 13/14 GDPR). Document internal reporting lines and independence. If you use processors, add Art. 28 references. LegalDocs.ai offers DPO-ready templates and checklists so you can formalize responsibilities and publish compliant notices without reinventing the wheel.

For employee data, rely on Art. 6(1)(b) GDPR and, where applicable, the employment-specific legal basis in Art. 88 GDPR and §26 BDSG. Limit collection to necessity for hiring, payroll, and compliance; document retention and access controls. Provide Art. 13 notices at onboarding, including categories processed, recipients, and transfers. Coordinate with the works council where co-determination applies (§87 BetrVG). Maintain Art. 30 records and conduct DPIAs if monitoring technologies pose high risk (Art. 35). LegalDocs.ai streamlines notices, RoPA, and DPIA workflows.

Ensure your website’s Impressum meets §5 TMG (and, for editorial content, §18 MStV): full company name, address, legal form, registration, VAT ID, and contact, plus supervisory authority if regulated. Align the Impressum with your GDPR privacy notice (Arts. 13–14), including controller/DPO contacts and right to lodge a complaint. Obtain consent for cookies/non-essential tracking per §25 TTDSG and document it. If you lack an EU establishment, appoint an Art. 27 representative. LegalDocs.ai provides aligned Impressum and privacy-policy builders with consent records.