GDPR Compliance for Expat Founders in Berlin: What You Actually Need to Know

If you’ve started a business in Berlin, someone has almost certainly mentioned GDPR to you — probably with a tone that suggested it was both urgent and incomprehensible. The General Data Protection Regulation has been in force since May 2018, and it applies to every business operating in the EU, regardless of size. That includes the two-person startup you’re running from a co-working space in Mitte.

The good news: for most small businesses and startups, GDPR compliance is more manageable than the horror stories suggest. The bad news: ignoring it entirely is genuinely risky. Fines have been issued to businesses of all sizes, and regulators in Germany (specifically Berlin’s Berliner Beauftragte für Datenschutz und Informationsfreiheit) are among the more active in Europe.

This guide is written for expat founders — people building businesses in Germany who didn’t grow up with European data protection culture and may be encountering these rules seriously for the first time.

What GDPR Actually Regulates

GDPR regulates the processing of personal data — any information that can identify a living individual. This is broader than most people assume. A name and email address is personal data. So is an IP address, a cookie identifier, a location record, or a photograph of someone’s face.

“Processing” covers almost everything you can do with data: collecting it, storing it, reading it, sharing it with third parties, using it to send marketing emails, or deleting it. If your business touches personal data in any of these ways, GDPR applies to you.

The regulation applies to you if you’re established in the EU (which you are, operating in Berlin), or if you offer goods or services to people in the EU, or if you monitor the behaviour of people in the EU. For most Berlin startups, the first criterion alone is sufficient.

The Six Legal Bases for Processing

Before you can process someone’s personal data, you need a legal basis. GDPR defines six. For small businesses, three are most relevant:

Consent — The person has actively opted in to their data being used for a specific purpose. This is the basis most people think of first, but it’s actually one of the harder ones to rely on because consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes don’t count. Bundling consent with your terms of service doesn’t count. If you rely on consent, you must also make it easy for people to withdraw it at any time.

Legitimate interests — You can process data if you have a genuine business need, provided that need isn’t overridden by the individual’s rights. Sending a follow-up email to someone who just contacted you about your services is likely legitimate interest. Selling that person’s contact details to a third party is not. This is a useful basis for B2B outreach and internal business operations, but requires a balancing test you should document.

Contract performance — If someone is your customer or supplier, you can process their data to the extent necessary to fulfil your contract with them. Storing a customer’s delivery address so you can ship their order is covered here.

The other three bases — legal obligation, vital interests, and public task — are less commonly relevant to startups.

What Most Small Businesses in Berlin Actually Need to Do

The practical GDPR requirements for a small business break down into four areas:

1. Privacy notice (Datenschutzerklärung) — Every website and app must have one, in German if your audience is German-speaking. It must explain what data you collect, why you collect it, the legal basis for each type of processing, how long you retain it, who you share it with, and how people can exercise their rights. If you use Google Analytics, Mailchimp, a CRM, or any cloud service that handles personal data, those third-party processors need to be listed. This is not optional and not something you can omit or copy-paste without reviewing carefully.

2. Record of processing activities (Verzeichnis von Verarbeitungstätigkeiten) — If you have fewer than 250 employees, you’re partially exempt from this requirement, but only for occasional processing. If you handle personal data regularly as part of your core operations — which most businesses do — you still need to maintain this record. It doesn’t have to be complex: a spreadsheet documenting what data you process, why, where it’s stored, who can access it, and when it’s deleted is sufficient for most small businesses.

3. Data processor agreements — Any company that processes personal data on your behalf (a cloud hosting provider, a payroll service, an email marketing platform) is a data processor under GDPR. You are required to have a written Data Processing Agreement (DPA) with each of them. Most major services provide these automatically — Google Workspace, Microsoft 365, HubSpot, Stripe, and similar platforms all have DPAs available in their settings. The risk for small businesses is the services they haven’t checked: the small SaaS tool they signed up for without reading the privacy policy, or the freelancer they shared a customer list with.

4. Data subject rights — Individuals have the right to access their data, correct inaccuracies, request deletion, restrict processing, and receive their data in a portable format. You need to be able to respond to these requests within 30 days. For a small business, this mostly means knowing where your customer data lives and being able to extract or delete a specific person’s records without a major project.

Cookies, Tracking, and Your Website

German data protection law adds a layer on top of GDPR here. The Telekommunikations-Telemedien-Datenschutz-Gesetz (TTDSG), in force since December 2021, requires consent for cookies that are not strictly necessary for the operation of the service. This means if your website uses Google Analytics, Facebook Pixel, or any advertising or tracking technology, you need a functional cookie consent banner — one that actually blocks those tools until the user consents, not one that just displays text.

A banner that says “we use cookies” with only an “Accept” button does not comply. There must be a genuine way to decline non-essential cookies, and declining must be as easy as accepting.

For most Berlin startups, a tool like Cookiebot, Usercentrics, or Borlabs Cookie (for WordPress) handles this correctly. The implementation needs to be configured properly — tools that are installed but not blocking cookies until consent is given are not compliant, regardless of what the banner says.

The Data Transfer Question

If you use US-based cloud services — which almost all businesses do — you need to be aware of the cross-border data transfer rules. Transferring personal data from the EU to the US is only lawful under specific mechanisms. The EU-US Data Privacy Framework (DPF), adopted in July 2023, restored a legal pathway for transfers to certified US companies. Most major US cloud providers (Microsoft, Google, AWS, Salesforce) are certified under DPF and their DPAs reference it. However, this framework has faced legal challenges before — its predecessors Safe Harbor and Privacy Shield were both struck down by the CJEU — so monitoring this area is worthwhile if your business processes significant amounts of personal data.

The practical implication: check that the US services you use are DPF-certified, or that their contracts include Standard Contractual Clauses (SCCs), and document this in your records of processing activities.

When You Need a Data Protection Officer

Most small businesses and startups do not need a formal Data Protection Officer (DPO). Under GDPR, a DPO is mandatory only if your core business activities involve large-scale, systematic monitoring of individuals, or large-scale processing of special categories of data (health, biometric, genetic, political opinions, religious beliefs, etc.). A typical Berlin B2B startup or service business does not fall into these categories.

That said, under German federal law, a DPO is required if you have more than 20 people regularly engaged in automated data processing. This is a lower threshold than the GDPR standard and applies to employee count for that specific activity — not headcount overall.

Practical Starting Points

If you’re approaching GDPR seriously for the first time as a Berlin founder, the practical starting sequence looks like this: audit what personal data you actually collect and where it lives; review and update your privacy notice; check that you have DPAs in place with your key processors; implement a proper cookie consent mechanism on your website; and document your record of processing activities.

None of this requires a law firm for a typical small business. It does require time, attention, and willingness to actually look at your tools and data flows rather than hoping the problem doesn’t come up. The risk of a formal complaint or audit increases over time as GDPR enforcement matures — the early years of light-touch enforcement for small businesses are largely over.

If your business is growing and your data footprint with it — more employees, more customer data, more marketing tools — the complexity scales up. At that point, a structured review by an IT security and compliance partner is worthwhile investment, both to close specific gaps and to build the documentation that demonstrates good faith effort if you’re ever subject to a regulatory inquiry.