Skip to main content
Data Protection / GDPR

TTDSG

The TTDSG (now TDDDG) governs data protection in telecommunications and telemedia, especially the protection of terminal equipment, and complements the GDPR for matters such as cookies and tracking.

The Telecommunications-Telemedia Data Protection Act (TTDSG) came into force on 1 December 2021 and consolidated the previously scattered data-protection provisions of the Telecommunications Act (TKG) and the Telemedia Act (TMG) into a single dedicated law. Effective 14 May 2024 it was renamed the Telecommunications-Digital-Services Data Protection Act (TDDDG) to align it with the Digital Services Act; its core rules remained substantively unchanged. The act in particular transposes the ePrivacy Directive (2002/58/EC) into German law and applies to providers of telecommunications services as well as to telemedia such as websites, apps and online platforms.

The provision of greatest practical importance is Section 25 TTDSG/TDDDG. It requires the user's prior consent before information is stored on their terminal equipment or information already stored there is accessed – regardless of whether that information constitutes personal data. This covers not only classic cookies but also pixels, local storage, device fingerprinting and comparable techniques. Access without consent is permitted only where it is strictly necessary for transmitting a message or absolutely necessary to provide a service explicitly requested by the user (Section 25(2) TTDSG/TDDDG).

In relation to the GDPR, Section 25 TTDSG/TDDDG operates as a more specific, overriding rule (lex specialis) for access to terminal equipment. The consent itself must meet the GDPR's requirements (Art. 4(11), Art. 7 GDPR): freely given, informed, unambiguous and revocable. Once personal data is further processed after a permissible read or storage operation, the GDPR applies again with its principles, legal bases and data-subject rights. TTDSG/TDDDG and the GDPR are therefore not alternatives but must be examined in sequence: first the lawfulness of the terminal access, then that of the subsequent data processing.

Legal Basis

Section 25 TTDSG/TDDDG (formerly TTDSG, TDDDG since 14 May 2024); Art. 5(3) ePrivacy Directive 2002/58/EC; Art. 4(11), Art. 6, Art. 7 GDPR

Practical Example

An online shop wants to deploy third-party web analytics and marketing pixels. The data protection coordinator first checks Section 25 TTDSG/TDDDG: because these services set cookies and read data from the device, prior consent is required. She implements a consent management tool that, on the first page visit, offers an equivalent choice between "Accept all" and "Reject all", loads analytics and marketing scripts only after active consent, and logs the consents in an audit-proof manner. For the subsequent processing of the personal data she documents the legal basis under the GDPR and adds the processing activity to the record of processing activities.

FAQ

They are the same law. The TTDSG was renamed TDDDG (Telecommunications-Digital-Services Data Protection Act) on 14 May 2024 to align it with the Digital Services Act. The core content, in particular the consent requirement in Section 25, remained unchanged.
Access to the terminal device – that is, setting or reading cookies – is governed primarily by Section 25 TTDSG/TDDDG and generally requires prior consent. The requirements for that consent itself (freely given, informed, revocable) follow from the GDPR. The two rules therefore interlock in stages.
Under Section 25(2) TTDSG/TDDDG, only strictly necessary access is permitted without consent, for example to transmit a message or to provide a service the user has explicitly requested. This typically includes session cookies for the shopping cart or login. Analytics and marketing cookies are not covered.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Consent Cookie consent Legal basis Personal Data Federal Data Protection Act
Back to Glossary