German RoPA Compliance

German Article 30 records with BDSG and DSK context.

Extend the core RoPA workflow with German-specific fields, deletion concepts, DSK-categorised TOMs, works council tracking, compliance scoring and a Verzeichnis export for supervisory review.

Acompli German RoPA Compliance Brochure — page 1
View brochure

Article 30 in Germany

What are the RoPA requirements in Germany?

Article 30 GDPR applies directly in Germany: controllers and processors must keep a record of processing activities — the Verzeichnis von Verarbeitungstätigkeiten — covering the purposes, data categories, recipients, transfers, retention periods and security measures set out in Article 30(1) and 30(2). Supervision sits with the BfDI (the federal data protection authority) and the 17 Landesdatenschutzbehörden — for most private companies, the state authority of the Land where the company is established is the competent supervisor.

The Bundesdatenschutzgesetz (BDSG) supplements the GDPR rather than replacing it, and section 70 BDSG mirrors the Article 30 record-keeping duty for specific processing contexts outside the GDPR’s direct scope. The obligation, the field lists, and the narrow Article 30(5) derogation are the same GDPR provisions that apply across the EU — read the Ireland & UK version of this guide for how the DPC and ICO apply them, or see the core Article 30 register for the underlying workflow.

Key takeaways

  • Article 30 GDPR applies directly — German entities maintain the Verzeichnis von Verarbeitungstätigkeiten to the same Article 30(1) and 30(2) field requirements as every EU controller and processor, with the BDSG supplementing the GDPR in specific contexts.
  • Supervision is federal and state-level — the BfDI at federal level and the 17 Landesdatenschutzbehörden across the Länder supervise compliance; most private companies answer to their state authority, and the authorities coordinate expectations through the Datenschutzkonferenz (DSK).
  • The Article 30(5) derogation is narrow — the under-250-employee carve-out falls away where processing is more than occasional, likely to risk data subjects’ rights, or includes Article 9 special categories, so most HR, marketing and customer processing carries the full duty.
  • Plan for two languages — German supervisory authorities and works councils generally expect German-language records while group privacy teams work in English; one jurisdiction-aware register with a German Verzeichnis export avoids maintaining parallel registers that drift apart.

Who supervises Article 30 RoPA compliance in Germany — the BfDI or a Landesdatenschutzbehörde?

Both, by remit. The BfDI supervises at federal level, and the 17 Landesdatenschutzbehörden supervise at state level — for most private companies, the data protection authority of the Land where the company is established is the competent supervisor and the body that would request the Verzeichnis von Verarbeitungstätigkeiten in an audit. The authorities coordinate their expectations through the Datenschutzkonferenz (DSK), whose Kurzpapiere set the form German reviewers expect. Acompli records the competent supervisory authority per legal entity, so a group with entities in several Länder, Ireland and the UK exports each register in the format its own authority — Landesdatenschutzbehörde, DPC or ICO — expects.

Can the Verzeichnis stay in German while the wider group works in English?

Yes — this is the dual-language reality for most DACH groups: the German entity's Verzeichnis, Löschkonzept and Betriebsrat documentation are generally expected in German by the competent Landesdatenschutzbehörde and the works council, while the group privacy team runs the register in English. Acompli holds one canonical Article 30 record set in which German entities carry the German-named overlay fields (Löschkonzept, Rechtsgrundlage, Betriebsrat) and export to the seven-sheet German Verzeichnis format, while Irish and UK entities export to DPC and ICO formats — so the German records and the English working view never diverge.

The German overlay

From jurisdiction detection to DPA-ready export

Each stage adds German-specific governance on top of the standard Article 30 register. The overlay adapts the UI, AI extraction, validation, and export format — all from a single configuration.

StartDetect

German requirements applied through a jurisdiction overlay

Create an entity with jurisdiction DE or assign a German supervisory authority. The BDSG/DSK overlay activates — field visibility, requirement levels, AI guidance, and export format all update.

Organisations with entities in Germany, Ireland, and the UK see the correct requirements for each. Detection works from supervisory authority codes, ICO registration, or explicit jurisdiction assignment.

Supervisory authorityBfDI or Landesdatenschutzbehörde code activates the German overlay
Jurisdiction codeDE maps to BDSG/DSK, IE to DPC, GB to ICO — automatic per entity
AI extraction adaptsThe AI receives German-specific guidance and populates BDSG fields during extraction
No manual templatesNo template selection or configuration — jurisdiction drives everything

German RoPA questions answered

How Acompli structures the Article 30 register for German (BDSG/DSK) requirements.

How should German firms compare RoPA tools for BDSG and Article 30?

Compare on five axes that BDSG/DSK-aligned reviewers actually test. (1) Article 30(1)/(2) field coverage with BDSG §26 (employment) and §22 (special categories) promoted to mandatory for German entities. (2) Structured Löschkonzept per data category with retention, legal basis, trigger, method and verification — not a free-text field. (3) DSK 5-category TOMs (Vertraulichkeit, Integrität, Verfügbarkeit, Belastbarkeit, Verfahren) with gap flagging against Article 32. (4) Betriebsrat consultation tracking per §87 BetrVG with Betriebsvereinbarung references. (5) A Verzeichnis export the BfDI or a Landesdatenschutzbehörde can read without reformatting. Tools that bolt German labels onto a generic Article 30 form fail the first DSK audit; jurisdiction-aware overlays that share one register across DE/IE/UK do not.

Is a Verzeichnis von Verarbeitungstätigkeiten a legal requirement in Germany, Ireland and the UK?

Yes — the obligation is the same Article 30 GDPR obligation in all three jurisdictions, with national overlays. In Germany the BDSG and the DSK Kurzpapier Nr. 1 set the expected form (the Verzeichnis), and BfDI/Landesdatenschutzbehörden enforce. In Ireland the Data Protection Act 2018 keeps Article 30 unchanged and the DPC enforces. In the UK, Article 30 of the UK GDPR plus the Data Protection Act 2018 apply and the ICO enforces. The Article 30(5) under-250-employees carve-out is narrow: it falls away the moment processing is regular, risks data subjects, or includes special categories (Article 9) — which captures most HR, marketing and B2B operations. Treat the carve-out as inapplicable in practice.

How should a German Löschkonzept be structured inside the Article 30 register?

Per the DSK Kurzpapier on Löschkonzepte, a defensible Löschkonzept is per data category, not per system or per activity. Each category needs: retention period with the source rule (for example payroll records 6 years post-employment per §257 HGB, tax records 10 years per §147 AO), the legal basis the retention rests on, the deletion trigger (event-based or time-based), the deletion method (overwrite, destruction, anonymisation), the responsible role, and how deletion is verified. Acompli captures each as a structured field on the Article 30 record so completeness is measurable and gaps surface in the DSK-aligned dashboard, rather than living in a Word annex the DPC, BfDI or a Landesdatenschutzbehörde cannot inspect.

How should DSK Article 32 TOMs be tracked in the register?

DSK guidance organises Article 32 measures into five categories: Vertraulichkeit (access control, encryption, pseudonymisation), Integrität (input/transfer control, logging), Verfügbarkeit (backup, recovery, continuity), Belastbarkeit (capacity, failover) and Verfahren (incident response, vendor management, training, testing). A register that records TOMs as free text loses gaps; one that requires a measure in each category, cross-references ISO 27001 or BSI IT-Grundschutz controls, and flags empty categories, gives the DSK reviewer what they expect. After the DPC €1.2bn Meta decision (2023) the bar for evidencing TOMs that protect transferred data has risen — record cross-border safeguards (SCCs, supplementary measures) at the TOM level too, not only in the transfer field.

Must Betriebsrat consultation be tracked at the processing-activity level?

Yes for any processing that touches employee behaviour or performance. §87(1) Nr. 6 BetrVG gives the Betriebsrat a co-determination right on technical devices that monitor employees, which extends to most HR analytics, time-tracking, productivity tooling, video surveillance and many cloud HR systems. A Verzeichnis that cannot prove which activities triggered Mitbestimmung, when consultation happened, and which Betriebsvereinbarung governs the activity, is not audit-ready. Acompli captures consultation status (Ja/Nein/Nicht zutreffend), date, contact, and Betriebsvereinbarung reference per processing activity, and flags employee-data activities that lack documented consultation.

Can one register cover German, Irish and UK entities without duplicating data?

Yes — jurisdiction should be an entity attribute, not a tenant. Acompli's jurisdiction overlay activates BDSG/DSK fields and the German export for DE entities, DPA 2018/DPC framing for IE, and UK GDPR/ICO framing for GB — from the same record set. A group with a DE GmbH, an IE Ltd and a UK Ltd holds one canonical Article 30 register; each entity sees only the fields its supervisory authority expects, and exports separately to BfDI/Landesdatenschutzbehörde, DPC and ICO formats. This avoids the common failure mode of three half-maintained Excel files diverging across the group.

More detailed questions
Market-specific questions

See German RoPA compliance in action

One jurisdiction-aware German register, connected to your assessments and risk register in one platform.