German Parliament Passes Data Act Implementation Act

In our Data Protection Update No. 214, we previously reported that key obligations under the Data Act must be implemented by September 12, 2025. To establish further provisions for the implementation of the Data Act at the national level, the German Parliament ("Bundestag") passed the Data Act Implementation Act on March 26, 2026. This act specifically regulates the jurisdiction of authorities, cooperation among authorities, administrative procedures, and sanctions for violations of obligations under the Data Act.

Competencies Remain

Following the Bundestag’s decision, the Federal Network Agency ("Bundesnetzagentur") remains – unsurprisingly – the central authority responsible for overseeing the implementation of the Data Act in Germany. 

Despite opposition from the Bundesrat, the special jurisdiction of the Federal Commissioner for Data Protection and Freedom of Information (BfDI) will be retained. Accordingly, the BfDI has sole jurisdiction over the supervision of the application of the Data Act with regard to the protection of personal data when processed by non-public bodies. In addition, the state data protection authorities retain jurisdiction over processing by the data recipient. In its statement, the Bundesrat therefore warned against dual oversight and the associated risk of parallel proceedings, as well as potentially divergent assessments by different authorities and courts. Common fundamental issues – such as the classification of the information in question as personal data – could be assessed differently by the BfDI when evaluating a data usage request than by the state authority within the scope of its ongoing data protection oversight. In light of these potential divergences, no adjustments were made to the draft. Whether this will ensure the legal clarity and certainty promised by the federal government regarding the application of the Data Regulation remains to be seen, particularly given the difficulties in distinguishing between the Data Act and data protection.

Sanctions: Lower Fines Than Originally Planned

The adopted draft of the Data Act Implementation Act conclusively regulates the sanctions for violations of the Data Act and the Data Act Implementation Act.

With a maximum limit of EUR 500,000, the penalty payments are significantly lower than in the draft bill, which previously provided for penalty payments of up to EUR 10,000,000. 

A tiered system is in place for determining the amount of fines: a maximum limit of EUR 50,000 applies to minor violations, EUR 100,000 to moderate violations, and EUR 500,000 to serious violations. A serious violation occurs, for example, when connected products are not designed in such a way that the data they generate or record is accessible to the user. If a user is prevented from sharing received data, this may constitute a moderate violation. A violation of the obligation to provide evidence in the event of a refusal to share data is considered minor. 

Furthermore, the maximum limits may be exceeded if economic benefits were derived from the sanctioned violation. 

Overall, the sanctions have been made more lenient than originally planned. The adjustment is intended, in particular, to prevent an undue burden on SMEs and to ensure proportionality. It can be assumed that this approach is designed in line with the objectives of the Digital Omnibus.  

Outlook

With the Bundestag’s resolution, the groundwork has now been laid for sanctioning violations of the Data Act (and the Data Act Implementation Act). Companies are therefore well advised to use the remaining time until the national implementing regulations take effect to adapt existing processes to the new requirements at an early stage and minimize potential sanction risks. It is expected that the Data Act Implementation Act will enter into force shortly, given the already delayed national implementation.

This article was created in collaboration with our research associate Esma Yildiz.