German law governing the conduct of business online is set out in many statutory instruments. Some of these are specific to online trade, while others apply to all business activities. This area of law is also subject to increasing harmonisation at the EU level.

The following laws are of particular significance:

Depending on the specific service or product, further regulatory laws may apply.

Legislation must be passed by Parliament as an Act of Parliament. However, a Regulation passed by the EU applies without an act of national transposition.

There are no mandatory legal requirements to set up a business online. However, the following steps should be taken into account before launching a new business online:

The types of parties that an online business usually deals with largely depend on the nature of the business. The following agreements are usually required:

The revised Protection of Young Persons Act (Jugendschutzgesetz) (JuSchG) applies primarily to app stores, but is also relevant to apps. It expands and clarifies the Youth Media Protection State Treaty (Jugendmedienschutz-Staatsvertrag), providing that programmes must not be released for children if they are detrimental to their development in their respective age group. The revised JuSchG clarifies various criteria to assess this, including the promotion of excessive usage, gambling-like mechanisms, unrestricted purchase opportunities, or the inappropriate transfer of personal data to third parties.

App providers must evaluate their apps and provide an age rating that includes reasons for clearance for an age group.

App developers must comply with the guidelines of the relevant app stores, which can go beyond the legal requirements.

New legal requirements apply in the private sector relating to access by disabled persons. EU Directive (EU) 2019/882 of 17 April 2019 on the accessibility requirements for products and services requires e-commerce websites to be accessible to consumers from June 2025, in accordance with EN 301 549 (the EU harmonisation standard). The corresponding German law (Disability Equality Act, which entered into force in 2021), requires products and services to be accessible, that is, be detected, accessed and used by people with disabilities without assistance from others.

The apps and websites of federal government public authorities' must be barrier-free. The Disability Equality Act and the Barrier-Free Information Technology Ordinance (BITV 2.0) provide more detail on the standards set out in the Directive.

Contracts for developing and distributing apps are usually work contracts under the Civil Code (Werkvertrag). If a standard app is adapted to the user's individual (operational) needs, the contract is also subject to the law on work contracts.

An app developer agreement should determine the kind of app (native or web app) and the minimum version of the operating system with which it should be compatible. Precise agreements should be made about the minimum hardware requirements, display resolution and requirements for random-access memory (RAM) consumption. This includes detailed agreements on updates with their response times and extent. The parties should agree in advance who is to be responsible for placing the app in the app store, for licences and fees, for designing the sales pages in the app stores and for maintenance.

The terms to be concluded with app developers should also address which licences will be needed to develop and distribute the app, including for example, content and software licences.

The distribution through major app stores (for iOS apps exclusively through the Apple App Store and for Android apps through the non-exclusive Google Play) requires entering into a distribution agreement with the app store provider which is publicly available on their websites. End User Licence Agreements (EULA) provide the terms and conditions (T&Cs) applicable to the use of the app by the customers.

It is generally possible to form a contract electronically, subject to the general contract formation rules, including those in the Civil Code (for example, regarding the conclusion of contracts, the capacity of the parties and the validity of the parties' consent).

Offer and acceptance and incorporation of terms are of particular importance when contracting online. A customer is usually deemed to make an offer by submitting an order (as typically governed in the T&Cs. The trader accepts this order if it has issued an order confirmation (as also typically governed in the T&Cs). The T&Cs are validly incorporated into the contract if they have been sufficiently brought to the attention of the customer before the contract is concluded.

The acknowledgment of T&Cs through click-wrap (that is, the acceptance of T&Cs by mouse click) is valid under German law. Shrink-wrap contracts are not valid if there is no possibility to consult them beforehand. Further, if T&Cs are placed somewhere on the vendor website and their validity only referred to in the contract (browse-wrap), no contract is concluded. However, browse-wraps can be enforced if the link to the T&Cs is made accessible to customers before concluding an agreement, and where clearly stated that those T&Cs govern the relation between the parties.

When app or software developers want to conclude an independent additional licence agreement directly with the customer (that is, a EULA) (in addition to the actual sales contract between the trader and the customer), customers should be informed at the time of purchasing from the trader that another contract concluded with the manufacturer is required. For example, this information can be on the packaging.

E-commerce law requires the fulfilment of specific duties by the business to its customers. Although this is not a requirement to render the agreement valid, the infringement of those duties may cause other disadvantages to the provider, for example:

Requirements for online contracts may include the following:

These requirements may vary under German law depending on whether the contract is concluded with consumers or business customers.

There are no limitations in relation to electronic contracts, but some contracts require specific formalities that cannot be met online, such as notarisation in the case of the sale of shares or real estate.

There are no explicit language requirements for contracts concluded with customers. However, T&Cs must be transparent to become effective (Civil Code). Therefore, German courts generally deem English language T&Cs targeting a consumer as prima facie void if they have not been translated into German. This is likely to be assessed to the contrary if the website targets businesses, as they are more experienced in business transactions (see also Question 34).

See Question 1.

In addition, the Platform to Business (P2B) Regulation ((EU) 2019/1150) applies to platform/search engine operators where both the:

It places new obligations on operators of online platforms and online search engines in relation to their business-to-business (B2B) dealings, such as obligations to:

There are no specific data retention requirements for electronic contracts. There are many data retention requirements resulting from German tax law and the German Commercial Code. For example, certain accounting documents and supporting documentation must be kept for six years.

There are no official government trusted site accreditations for websites. However, there is a "Trusted Site Privacy" certificate which shows that the data privacy setting of a website including certain minimum cybersecurity standards are legally compliant. This certificate is issued by a well-known and trusted private body in Germany, the German Technical Inspection Association on Information Technology (TÜViT). Other private organisations offer further certificates (such as a "Trusted Shops" company that certifies online shops in several European countries).

The remedies available for breach of an electronic contract are the same as those applicable to any other type of contract. If defective goods are delivered, a customer can demand rectification or a good free of defects, withdraw from the contract, demand price reduction and/or claim damages. In the case of a service agreement, a customer can claim damages if it has suffered harm.

E-signatures are recognised under German law.

The Electronic Signatures Directive (1999/93/EC) underpins the legal framework for electronic signatures in the EU. In Germany it is primarily implemented by the Signature Act, the Signature Ordinance as well as the Civil Code.

With effect from 1 July 2016, the Signature Act and the Signature Ordinance were partly replaced by the Electronic Identification and Trust Services Regulation (eIDAS Regulation) ((EU) 910/2014). The eIDAS Regulation is directly applicable, and the existing national legislation partly continues to apply. The eIDAS Regulation implements additional measures to increase the use of electronic identification and authentication facilities, and expands the legal framework governing electronic identification/documentation.

The simple electronic signature is defined as data in electronic form that are attached to or logically associated with other electronic data and that serve as a method of authentication.

An advanced electronic signature is defined as an electronic signature that is uniquely linked to the signatory, capable of identifying the signatory, created using electronic signature creation data that the signatory can, with a high level of confidence, use under their sole control. An advanced electronic signature is linked to the data signed in such a way that any subsequent change in the data is detectable.

A qualified electronic signature is defined as an advanced electronic signature that is:

Only a qualified electronic signature satisfies the legal requirements of a signature in the same manner as a handwritten signature (Civil Code).

To validly replace a handwritten signature, a qualified electronic signature must be:

E-signatures or digital signatures have been used increasingly in Germany, particularly since the COVID-19 pandemic. This largely applies to B2B contracts, for which companies use electronic signature services such as DocuSign. In B2C agreements, this is less common as verification is not needed for electronic contracts, given that these contracts are usually concluded by simply accepting T&Cs.

Some contracts require specific formalities which cannot be undertaken by means of e-signatures, such as notarisation in the case of the sale of shares or real estate.

Apart from those specific cases, there are no limitations on the use of e-signatures under German law. However, only qualified electronic signatures satisfy the legal requirements of a signature in the same manner as a handwritten signature under the Civil Code (see Question 12).

The collection and use of personal data online is predominantly regulated by the GDPR and the GDPA (see Question 1).

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU. Non-EU established organisations are already subject to the GDPR where they process personal data of EU data subjects in connection with the offering of goods or services (payment is not required) or monitoring their behaviour in the EU.

Generally, data protection laws apply to the data controller (that is, any person or body collecting, processing or using personal data on their own behalf or commissioning others to do it). However, certain data security requirements (such as technical and organisational measures necessary to comply with the data security requirements of the GDPR) also apply to data processors (that is, bodies that are commissioned to collect, process or use personal data on behalf of the controller).

The GDPR has also extended the obligations for processors and introduces, for example, the requirement to keep a record of processing activities (including the type of data processed, the purposes for which it is used, and so on).

The GDPA (see Question 1) has substantially changed the old German Data Protection Act to align it to the GDPR and to make use of its derogations. Although the GDPR directly applies across the EU and its provisions prevail over national law, member states have retained the ability to introduce their own national legislation based on certain derogations provided for by the GDPR. These derogations include national security, prevention and detection of crime, and also apply in certain other important situations, for example, to the collection and use of employee data (which remains unregulated by the GDPR) or to the stricter requirements for the appointment of a data protection officer (compared with the GDPR).

As regards the collection and use of employee data, the GDPA adopted the existing German rules (that is, processing of employee's data is generally allowed if necessary, for establishing or carrying out the employment relationship). In addition, it clarifies employees' consent, such as the circumstances when such consent is "freely given" in an employer-employee relationship. In respect of the requirement to appoint a data protection officer, the threshold for the appointment is much lower in Germany than under the GDPR. As such, the requirement generally applies if a minimum of 20 employees are deployed to carry out the automatic processing of personal data on an ongoing basis.

For further information on data protection laws in Germany, see Data Protection in Germany: Overview.

The GDPR and the GDPA regulate personal data.

Personal data is defined as data which relates to a living individual who can be identified from that data, or from that data together with other information in the possession of, or likely to come into the possession of, the data controller (GDPR). Even dynamic IP addresses may be considered personal data according to the European Court of Justice (CJEU) (Patrick Breyer v Bundesrepublik Deutschland, Case C-582/14, dated 19 October 2016). This judgment, although not rendered under the GDPR, is very likely to be upheld by courts and data protection authorities. By contrast, information relating to corporate bodies is not considered personal data.

The following are considered special categories of personal data:

The processing of special categories of personal data must meet additional requirements under Article 9(2) of the GDPR.

The GDPA does not establish any further definitions of personal data.

Before the GDPR entered into effect, the Telemedia Act regulated the collection, processing and use of inventory as well as usage data of users while the old German GDPA referred to content data (though details were disputed within the German legal literature). It is now debatable whether the Telemedia Act is still applicable as data protection authorities argue that the GDPR prevails over the national law rules on the processing of personal data collected from a website. As a result, justifying the processing of data, for example, for purposes such as website audience measurement is generally more difficult to base on legitimate interest in the view of data protection authorities.

The GDPR prohibits the collection and use of personal data unless it is permitted by statutory law or the data subject has consented to it. Following data protection authorities' view that the Telemedia Act is no longer applicable as of 25 May 2018, a service provider can collect and use a user's personal data without consent only when:

Online media service providers (such as website operators) can, for example, store IP addresses to guarantee the security and continued proper functioning of the media service based on a possible legitimate interest of this provider and the balancing of interests justification (Patrick Breyer v Bundesrepublik Deutschland, Case C-582/14, dated 19 October 2016).

The GDPR and GDPA do not expressly restrict the storage of personal data in the cloud, but the general requirements of the GDPR apply when cloud solutions are used.

Users of these services are usually considered to be data controllers, which must conclude a data processing agreement regarding the personal data stored on their behalf by a cloud provider. The main aspects of such an agreement relate to the security of the cloud systems, and whether the solution will be affected by the provisions in the GDPR restricting the transfer of personal data to countries outside the European Economic Area.

German law does not provide for wide-ranging data localisation requirements. For example, few tax and accounting laws require organisations to store digitally kept accounts, records or electronic invoices within Germany or other EU member states. The general principle, however, is that personal data can also be stored abroad.

The GDPR establishes distinct data transfer requirements for transfers (including theoretical access to personal data without any storage in third countries) of personal data to third countries outside the EU/EEA.

Cloud providers with data typically stored across the world (outside the EU/EEA) typically rely on standard contractual clauses (SCCs) adopted by the European Commission. However, relying on SCCs has become more burdensome for cloud providers and their customers. Additional safeguards, beyond the SCCs, are therefore generally required for transfers to countries such as the US (in light of the statements made by the CJEU that US law and practice is incompatible with EU requirements, which may also apply to other countries such as China and India).

On 4 June 2021, the European Commission published the recast SCCs that replaced the old SCCs from 27 September 2021. These new SCCs partly implement certain contractual safeguards that are already being followed under the European Data Protection Board (EDPB) Recommendations (for example, obligations in the case of access by public authorities, and redress and indemnification for data subjects).

See also EU-US Privacy Shield (GDPR) and Data Protection in the EU: Overview.

The police and public prosecution authorities can gain access to personal data when investigating crime, if there is reason to believe that such information can be used as evidence and that such evidence cannot be obtained through other less invasive means (German Code of Criminal Procedure). However, this generally requires a court order issued by a competent judge.

Some public authorities may have a right to access personal data in certain situations if statutory laws permit the access (for example, for the purpose of national security, terrorism, national business intelligence, mass and organised crime).

The E-Privacy Directive (2002/58/EC) was finally implemented in Germany through the Telemedia Act 2021, which entered into force in December 2021. This law:

German data protection authorities have issued guidelines on how businesses should implement the requirements of the 2021 Act. In December 2022, the German Data Protection Conference (the joint body of all German data protection authorities) published guidance (2022 guidance) on how to obtain cookies consent. The 2022 guidance is the result of a comprehensive consultation procedure with business stakeholders.

The guidelines include (among others) the requirements established by the CJEU in a judgment in October 2019 stating that pre-ticked cookie check-boxes authorising the use of cookies and similar technologies do not constitute valid consent under the E-Privacy Directive (Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband eV v Planet49 GmbH (Case C-673/17), EU:C:2019:801).

German data protection authorities also actively enforce the E-Privacy Directive and the Telemedia Act 2021 in the light of these recent developments. At the end of August 2020, for example, ten German data protection authorities began a concerted effort to audit the cookie practices of specific websites of German publishing houses. This has put a focus on cookie compliance in the German market.

See also Data Protection in Germany: Overview.

The GDPR provides for certain data security requirements with which companies must comply to ensure appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and accidental loss, destruction, or damage. These requirements include an obligation to ensure that an appropriate level of security is applied to internet transactions that involve the transmission of personal data.

If online businesses accept credit or debit card payments from customers, the Payment Card Industry Data Security Standards (PCI-DSS) must be observed. Those standards stipulate how traders deal with customer information. One of the central requirements is that sensitive card authentication data must never be stored by the trader after authorisation of a payment transaction, even if it is encrypted.

Neither the GDPR nor the GDPA expressly requires personal data to be encrypted. However, German data protection authorities require the encryption to have the appropriate security measures in place, depending on the circumstances of the individual case and the technically feasibility.

Encryption can be an appropriate security measure if the sensitivity of the data concerned requires this. In many cases data encryption will therefore be considered an appropriate and necessary technical measure for the protection of personal data stored on mobile digital media, sensitive or confidential e-mail communications, and data held in the cloud.

The EDPB suggested encryption as a supplementary measure in its guidelines, to ensure compliance with the GDPR (see Question 16). If data is properly encrypted and access by third parties not possible, the level of data protection in third countries is deemed adequate. This is because government access is not possible, which is a decisive factor in the adequacy assessment (EDPB's recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, adopted on 18 June 2021).

Businesses are generally free to accept electronic payments and must comply with specific security requirements (see Question 19).

Anti-money laundering obligations only apply to specific groups of professionals, including banks and service providers from other sectors such as lawyers, notaries, and gambling providers. EU member states may extend the list to include professional groups if they are particularly associated with money laundering or terrorist financing.

If a system makes decisions that affect individuals through automatic processing of their personal data, this is predominantly governed by the GDPR. Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affects the data subject (Article 22(1), GDPR). This only applies if the decision produces legal effects concerning the data subject or similarly significantly affects the data subject. There is no clear definition of "significantly affecting practices". However, an example provided by the GDPR is automatic refusal of an online credit application (due to negative scoring). In relation to electronic payments, this may be assumed where, for example, a buyer of goods is rejected based on an automated analysis that determines that the potential buyer lives in a specific part of a city which is evaluated as statistically poor and therefore is likely to be insolvent.

However, there are justifications in the GDPR permitting this kind of automated decision making. For example, where consent has been provided or automated decision making is necessary for entering into, or performance of, a contract between the data subject and a data controller (such as in cases in which the automated decision is part of the services offered by the contractual partner).

In relation to retention of data of electronic payments, there are many data retention requirements resulting from German tax law and the German Commercial Code. For example, certain accounting documents and supporting documentation must be kept for six years (see Question 9).

The revised JuSchG (see Question 5) also applies to websites. It expands and clarifies the Youth Media Protection State Treaty (Jugendmedienschutz-Staatsvertrag), providing that websites must not be released for children if they are detrimental to their development in their respective age group. The revised JuSchG clarifies various criteria to assess this, including the promotion of excessive usage, gambling-like mechanisms, unrestricted purchase opportunities, or the inappropriate transfer of personal data to third parties. Website providers must evaluate their apps and provide an age rating that includes reasons for clearance for an age group.

In terms of GDPR, only children who are at least 16 years old can validly provide consent to the processing of their personal data (GDPR) on a website. Although the member states can deviate from this age in their national laws, Germany has not introduced a different minimum age.

The processing of personal data of under 16s on websites by website operators is only lawful if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. The website operator as controller must make reasonable efforts to verify in these cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology (GDPR). It is not yet known how this will be implemented in practice as the technologies to verify the minimum age and authorised consent are not yet available.

There are no specific laws protecting companies within Germany that resell or market online digital content, services or software licences provided by a supplier outside the jurisdiction.

The general requirements of the Civil Code determine contractual or tort liability towards the supplier, or warranties regarding online digital content, services or software licences (depending on how the underlying contract is classified under German statutory law and which remedies this statutory law sets out).

The CJEU has made framing, caching, spidering and the use of metatags the subject matter of its judgments in the form of preliminary rulings which must be followed by national courts:

Trade mark law and competition law restrict the use of metatags. According to the German Federal Court of Justice, the "function of origin" of a protected mark is impaired when a mark is used as a metatag to influence users to visit the metatag user's website.

In relation to advertising keywords, the German Federal Court of Justice has largely declared the use of third-party brands to be permissible if no business connection between the advertiser and the owner of the trade mark is suggested. This usually requires that an advertisement:

There are no specific regulations regarding the licensing of domain names. The licensing is subject to an agreement between the registrant and the central registry (DENICeG).

However, the laws on trade marks must be taken into account when registering domain names, which requires checking on whether the envisaged domain name is protected as a trade mark of another party to avoid action from potential trade mark holders.

Domain names are not subject to any specific protection under German law.

A domain name can be registered as a trade mark, provided that the general requirements for registration are fulfilled in accordance with German trade mark law. The use of a domain name may over time also constitute a protected, unregistered trade mark.

Business names are protected under the Civil Code and the law on trade marks (as a commercial designation in the form of a company symbol). Therefore, it should be checked (regarding both a name search as well as a trade mark search) whether the contemplated business name already exists in identical or similar form.

Business names must not mislead customers (Unfair Trade Practices Act).

Business names must be registered with the commercial register located at local courts, except for small businesses (which is, among others, determined by their annual turnover) and civil law partnerships (GbR). The application for entry requires public certification, and the amount of fees for the registry depend on the size of the business (taking into account capital, business partners and so on).

Small businesses and civil law partnerships (GbR) cannot register with the commercial register, but only with the respective municipal office of the city where they are located.

There are no specific rules applying to internet transactions (or disputes). The general rule under the Recast Brussels Regulation ((EU) 1215/2012) is that in a B2B case the jurisdiction in which the obligation is performed (that is, the place of delivery in the case of goods or the place of provision of services in a service agreement) determines the jurisdiction.

In a B2C situation, a consumer can decide whether to take action against the other party to a contract before the courts where the other party or where the consumer is domiciled. Other rules apply if the defendant is domiciled outside of the EU. Those other rules follow the national law of Germany if the plaintiff is domiciled in Germany, which would typically result in the defendant being sued in its country of residence. Agreements on the place of jurisdiction can always be concluded effectively in B2B situations, but in B2C situations this is rarely possible.

Within the European context, the governing law follows the parties' agreement on the applicable law in the contract (Article 10, Rome I Regulation ((EC) 593/2008)). In a B2C contract, the parties are free to choose their applicable law, but the consumer will still keep the protection that is offered by their national consumer protection laws if they are more favourable than the provisions of the chosen law.

Agreements on the governing law can always be concluded effectively in B2B situations. However, in B2C situations, although legally possible, enforceability is difficult due to the minimum protection provided to the consumer by the national consumer protection laws that apply if they are more favourable than the provisions of the chosen law.

In tort matters, the Rome II Regulation ((EC) 864/2007) applies. The applicable law is the law of the country in which the damage occurs (Article 4).

On the EU level, the Alternative Dispute Resolution Directive (2013/11/EU) requires member states to implement alternative online dispute resolution options and provides for certain additional information requirements to be fulfilled by online businesses. This was implemented into German law by the Consumer Dispute Settlement Act. The Act creates out-of-court dispute settlement bodies that are available to consumers in the event of disputes with businesses. The consumer arbitration bodies are sponsored by private registered associations. Businesses must inform customers about their willingness or obligation to make settlements available. Businesses can limit their participation to certain conflicts and up to a certain value.

Under the Online Dispute Resolution Regulation ((EU) 524/2013), the Commission has developed an ODR platform that will be a single point of entry for consumers and traders seeking the out-of-court resolution of disputes in B2C cases. It is an interactive website which can be accessed electronically and free of charge in all the official languages of the institutions of the EU. Traders must inform consumers about the existence of the ODR platform and the possibility of using the ODR platform for resolving their disputes. They must also provide an electronic link to the ODR.

In the case of settlements under the Consumer Dispute Settlement Act between consumers and businesses, remedies depend on the situation, and must be based on applicable law and observe consumer protection laws.

The Unfair Trade Practices Act does not specifically relate to online advertising but generally to businesses that advertise goods and services. Under this law, an unfair trade practice is generally a practice contrary to the requirements of professional diligence that materially distorts the economic behaviour of the average consumer. The Act specifies prohibited behaviour for businesses and covers basically misleading, aggressive and pestering commercial practices. The latter category is practically important for online advertising, as it is related to commercial practices unconscionably pestering a market participant (for example, by way of e-mail advertising, subject to the circumstances of the individual case).

Online behavioural advertising (OBA) generally requires consent through a cookie banner. This is because it is not reasonable to expect users to know the extent to which their personal data is collected and transferred to other parties for the purposes of OBA (GDPR). Therefore, the data controller's legitimate interests may not provide a legal basis for the processing of data collected in relation to OBA. However, the lawfulness of data processing for OBA purposes under the GDPR, and whether consent is required, depends on the circumstances of the individual case.

Several products/services are regulated regarding their advertising both offline and online. These include, for example, tobacco products, gambling, medication or financial services.

Those products or services are either prohibited from being advertised or sold online (for example, any types of tobacco products) or are subject to additional restrictions (for example, distribution of financial services require approval by the Federal Financial Supervisory Authority in Germany).

In line with the E-Privacy Directive, e-mail marketing and advertising generally require the customer's prior express consent under the Unfair Trade Practices Act. The term "advertising" is interpreted very broadly by German courts. Express prior consent requires the customer's active consent to marketing e-mails before receiving such e-mails (for example, by clicking a box). The Federal Court of Justice has expressly stated that assumed consent does not satisfy the requirements for e-mail marketing.

E-mail marketing does not constitute an unfair trade practice and express consent is not required if all of the following apply:

The "double opt in" procedure is based on case law established by the Federal Court of Justice for evidence purposes. Under this procedure the advertiser must send a confirmation e-mail after a user has registered with the advertiser to receive marketing e-mails, requesting a confirmation from the user (typically requiring the user to click a confirmation link in this e-mail). If the user confirms, the consent can be proved with legal certainty.

There are no explicit language requirements for websites targeting Germany. However, under the Civil Code, general T&Cs, which are typically placed on websites delivering goods or rendering other services, must be transparent to become effective. Therefore, German courts have generally deemed English language T&Cs targeting a consumer as void if they have not been translated into German The same rationale has already been applied to English language privacy policies targeted at German consumers, and these policies have also been declared void. This is likely to be assessed to the contrary if the website targets businesses, as they are more experienced in business transactions and consumer protection arguments do not apply.

These are not strict rules and the opposite can be argued, in particular under consideration of the language used to market the goods and/or services. If goods and/or services are marketed in English, the legal terms can also be in the English language.

Value added tax (VAT) and other common sales taxes apply to online sales in the same way as to offline sales.

Online companies doing business in Germany do not usually need to register for VAT and other taxes unless expressly required by tax law. The most important exceptions provided by German tax law include the EUR100,000 turnover-threshold, or where the company is holding stock in German warehouses and then selling it to German customers. At this point, traders must register and start accounting for the VAT in Germany (at a 19% standard rate if the reduced rate is not applicable, depending on the specific goods or services). Reporting is required monthly. For the first VAT registration the company will be allocated to the tax authority in charge (allocation is usually based on the country of residence of the foreign business).

Other rules apply in the EU regarding companies that sell purely electronic services (such as apps, e-books, and MP3 files). Those companies only need to register for VAT in one EU member state to avoid registering, declaring and paying VAT in all member states where VAT is due.

VAT is a complex area and these issues must be assessed case by case.

Statements and actions that are illegal offline are usually illegal online as well. The following, among others, can apply to websites:

In addition, voice recordings of statements that were not made in public cannot be published without the spokesperson's consent (section 201, Criminal Code). Similarly, photos that show a person individually and in a non-public space can only be published with their consent (section 201a, Criminal Code).

IP protection applies to online content and websites. Content or links must be immediately deleted if there is knowledge or indication of a possible legal violation.

The Network Enforcement Act 2017 obliges website operators of profit-oriented social networks to delete "obviously criminal content" within 24 hours of receiving a complaint.

A website operator is fully liable for its own content. A website operator is only liable for third-party content if they make the third-party content their own (section 7, Telemedia Act 2007). For example, German courts found a company liable for copyright infringements on a third-party website because the company had set a link from its website to the third-party website of a group company with the same name and the same business purpose, on which products are jointly advertised without the difference in businesses being clearly recognisable.

The Telemedia Act 2007 provides for certain requirements to be fulfilled by a website operator, particularly as to the legal obligation to provide an imprint (Impressumspflicht). This requires providing a statement which includes:

This information must be easily, directly and permanently accessible for users when telemedia are offered commercially (this is generally even if services are offered not in return for payment but if, for example, advertisements are used to generate some income).

The website operator must also inform the user about the collection, processing and use of personal data by means of a privacy policy. This policy must also include a description on the use of cookies, if applicable.

Further information must be provided in relation to the provision of goods and services if a distance contract is concluded (for example, regarding the price including taxes, characteristics of the goods or services and information on right of withdrawal if consumers are contractually involved).

Generally, the website operator can be held liable for the content published on its website. The website operator can be held liable if, for example, it is at fault in making statements that are incorrect or likely to create a false impression. By contrast, customers have no claims against website operators based on incorrect pricing. Therefore, they cannot claim any goods or services in return for the incorrect price.

However, the website operator can avoid liability if it is only considered to be a hosting provider for third-party content (that is, only if the operator does not contribute in any way to the specific content of the website for which liability is considered) under the Telemedia Act. The website operator will not be liable if:

A national court can order an internet access provider to shut down a website if the content infringes copyright law (CJEU, UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH and Wega Filmproduktionsgesellschaft GmbH (Case C-314/12) EU:C:2014:192).

Further, a website operator must remove content or disable linking if it becomes aware of third party illegal content, but it is generally not required to monitor third party content on their websites. It can also shut down its website, if necessary to take the content down.

Apart from illegal third party content, the website operator can stipulate rights to shut down its website, remove content or disable linking in its T&Cs. Whether those rights are effective under statutory German law is subject to the circumstances of the individual case and cannot be generalised.

In most cases, liability for products or services supplied online is the same as for offline sales. However, online traders must satisfy certain specific requirements, such as the requirements outlined in Question 7. If they do not satisfy these requirements, online traders can incur criminal liability as well as liability for damages in accordance with the general rules. For example, in relation to intellectual property, products and/or services protected under the Copyright Act and/or Trade Mark Law, the sale of infringing products online follows the same rules as in offline cases.

In relation to auction sites, providers must unequivocally clarify that they are not contractually involved in the relationship with the customer and act only as an intermediary (for example by emphasising this in the T&Cs). If considered to be a hosting provider, they are only liable if they do not comply with the "notice and take down procedure" once notified of illegal content (see Question 40).

Comparison websites must comply with the Database Directive (96/9/EC) which protects investments of database creators and limits the free adoption of its content, incorporated into German law by section 87a et seq. of the Copyright Act.

Online businesses require the same insurance as other businesses in the specific industry sector in which they operate. However, since IT systems, websites and processing of data often are of more importance to an online business, cyber-insurance or similar should be considered.

It is unlikely that digital business law as a whole will be reformed. However, the European Commission is constantly developing its Digital Single Market Strategy, so it is always possible that single parts of the applicable laws will be reformed or amended at relatively short notice.

The proposed EU ePrivacy Regulation will include changes to cookie rules and the use of electronic communications data, among others. The draft regulation is currently awaiting its first reading in the European Parliament. .

See Digital Single Market Strategy: Regulation on Privacy and Electronic Communications (ePrivacy Regulation): legislation tracker.

Launching a new European data strategy comprising a series of proposals designed to boost the EU data economy, is a priority for the European Commission. It continues to work towards launching a Digital Services Act in the fourth quarter of 2020. This is expected to take the form of a legislative proposal and impact assessment aimed at strengthening a single market for digital services. Although the eventual scope of the Act is unclear, this horizontal approach to regulating the digital sector is expected to include rules for the removal of illegal content such as:

The Digital Markets Act sets out a range of proposals to govern large online platforms deemed to be "gatekeepers", to ensure fair and contestable digital markets. Gatekeepers are platforms that:

A wide range of digital services are affected, including marketplaces, app stores, search engines, video sharing platforms, cloud services, social networks and operating systems. There will be powerful enforcement tools, with fines of up to 10% of global revenues, and the EU will have break-up powers as a last resort. The Digital Markets Act entered into force on 1 November 2022. This means that large digital platforms that offer core platform services as "gatekeepers" are subject to far-reaching regulatory measures by the European Commission.

Other data-related laws proposed by the European Commission (Commission) are the:

The proposal of the European Commission for an AI Act was published by the Commission in April 2021. The AI Act predominantly aims to regulate AI systems based on the approach already taken by EU product safety laws (requiring a CE conformity marking for most products circulated in the EU market). This includes strict pre-market requirements and post- market obligations, which aim to mitigate the risks resulting from the AI systems (such as autonomy, complexity and data-dependency). The AI Act is part of the Commission's approach to developing an ecosystem of trust for AI, together with the proposed AI Liability Directive and a revised Product Liability Directive.

While the AI Liability Directive will address fault-based liability rules, the revised Product Liability Directive will modernise the existing rules on the strict liability of manufacturers for defective products. Both proposals aim to address autonomous behaviour, limited predictability and complexity challenges of AI when applying liability rules.