Outbound Call and Data Privacy Regulations in Germany

Legal Basis

Germany does not maintain a single national "Do Not Call" registry as found in some other countries. Instead, telemarketing calls to consumers (private individuals) are generally prohibited unless the consumer has given prior explicit consent to be called. Unsolicited cold calls without such consent are unlawful under Section 7 of the Gesetz gegen den unlauteren Wettbewerb (UWG, Unfair Competition Act). In legal terms, an unexpected advertising call is considered an "unzumutbare Belästigung" (an unreasonable nuisance) to the called party. Companies engaging in unauthorized sales calls are acting anti-competitively and can face both private legal action and regulatory penalties. Consumers have the right to demand cessation of unwanted calls and can seek injunctions under civil law to stop further harassment.

Consent Requirement

To legally place an outbound marketing call, a business must obtain the recipient's express permission in advance. It is not sufficient to start the call by asking for consent – the permission must be in place before dialing. Typically this consent is collected in writing or via an online form or similar double opt-in process. (Pre-ticked boxes or buried clauses in terms and conditions are not valid consent – German courts have ruled that any pre-formulated, opt-out style "consent" for calls is invalid.) Companies are now obliged to document and retain proof of each consumer's consent for a defined period. Since October 2021, a new provision §7a UWG (introduced by the "Gesetz für faire Verbraucherverträge" or Fair Consumer Contracts Act) requires telemarketers to keep records of consent for 5 years from when consent is obtained and from each time it is used. They must be ready to produce these consent records to regulators on request. Failure to properly document or retain proof of consent can itself be punished with fines up to €50,000.

National Opt-Out Lists

Due to the strict opt-in regime, Germany does not operate a government-run DNC list for phone calls – in principle no call is allowed without prior opt-in, so an opt-out list is conceptually unnecessary. Industry groups (such as the German Dialog Marketing Association, DDV) maintain "Robinson lists" for consumers who object to marketing, but these are mainly used for postal mail or email. In fact, the DDV explicitly does not offer a Robinson list for telephone marketing, noting that German law always requires prior consent for calls, and thus each company must rely on its own database of users who agreed to be called rather than any central suppression list. Nonetheless, as a best practice, telemarketers should maintain their own internal do-not-call lists – if a person withdraws consent or objects to future calls, the company must honor that and avoid calling them again. Companies should regularly update their calling lists to ensure anyone who opted out or whose consent has expired is excluded.

Coverage of Rules (B2C vs B2B)

The strict consent rule applies to calls targeting consumers. For calling business customers (B2B), the law is slightly less stringent but still restrictive. Calls to other businesses or professionals without explicit permission are only allowed if "at least a presumed consent" (mutmaßliche Einwilligung) can be inferred. This means there should be concrete indications that the business recipient likely is interested in the call's subject and has not objected to such calls. In practice, presumed consent is a high bar: the product or service must closely relate to the recipient's business needs and there should be an existing relationship or inquiry that justifies the call. A mere guess or industry match (same sector) is not enough to assume consent. If a business has indicated it does not wish to receive marketing calls, then no "implied consent" can be claimed. In summary, cold calls to businesses are also prohibited unless the caller can point to specific circumstances suggesting the call is welcome. Companies should document the rationale for any B2B call without explicit consent, in case they need to defend it.

Penalties for Violations

Germany vigorously enforces these telemarketing rules. The Bundesnetzagentur (Federal Network Agency) – which is the telecom regulator – is empowered to investigate and fine violations. Placing marketing calls without the required consent is an administrative offense that can carry heavy fines. Currently, fines can be as high as €300,000 per incident for illicit telemarketing calls to consumers. In recent years, the Bundesnetzagentur has not hesitated to use this authority: for example, in 2023 it imposed a total of €1.435 million in fines against companies for illegal telemarketing calls. Individual companies have faced penalties at or near the statutory maximum (e.g. several energy suppliers were each fined €285,000 for aggressive unsolicited call campaigns). These fines underscore that regulators take "Do Not Call" rules very seriously. In addition to regulatory fines, companies may be exposed to civil litigation: consumer protection organizations or competitors (via the Wettbewerbszentrale, the Center for Protection against Unfair Competition) can send cease-and-desist letters or sue for injunctive relief against unlawful calls. Thus, non-compliance can lead to both public-law fines and private-law enforcement.

Germany has implemented measures to ensure the authenticity of caller identification (Caller ID) and to combat number spoofing in outbound calls. The goal is to prevent fraud and protect consumers from misleading or falsified caller information. Key regulations and practices include:

Caller ID Display Requirements

Telemarketers are required to transmit a valid, non-blocked phone number as Caller ID when making outbound calls. It is illegal for a company to call with a withheld ("anonymous") number when the call's purpose is telemarketing. Since December 2021, the Telecommunications-Telemedia Data Protection Act (TTDSG) §15(2) expressly forbids number suppression on marketing calls to consumers. In other words, a company must show a callable number on the recipient's phone. Violating this (calling with "No Caller ID") is deemed an unlawful act and can be punished with fines up to €300,000, similar to other telemarketing offenses. This rule ensures that recipients can see who is calling and have the opportunity to call back or identify the source. It also aids traceability of unwanted calls by authorities.

Use of Authentic Numbers

Deliberately sending a false or "spoofed" number as Caller ID is prohibited. Under the German Telecom Act (TKG), the number displayed must be one that the caller is authorized to use – typically a number allocated to that calling company or individual. Call centers are not allowed to transmit phone numbers that do not belong to them (for example, pretending to call from a local area code or another company's number if they have no rights to it). The Bundesnetzagentur treats the use of manipulated or unassigned numbers as a serious offense. Indeed, telemarketing companies "may not call with a manipulated caller number that is not allocated to them", and doing so can also trigger fines up to €300,000. In practice, this means a call center should only present numbers that have been officially assigned to it (or its client) by a telecom provider. If a call campaign wants to use a specific Caller ID (e.g. a local presence number or a toll-free number), the company must have legitimate ownership or usage rights for that number.

Blocking of Illicit Spoofed Calls (DNO)

In December 2022, new regulations took effect to strengthen "Do Not Originate" protections – i.e. preventing calls from ever reaching consumers if the Caller ID is obviously spoofed or untrustworthy. Bundesnetzagentur now requires all telephone service providers to implement technical measures to filter out certain invalid or high-risk Caller IDs. For example, any call that displays an emergency number (110, 112) or certain premium-rate and service numbers (like 0900, 0137, directory assistance codes) as the caller ID must be automatically disconnected/blocked by the carrier. These numbers are not allowed as outgoing caller IDs, since ordinary users or telemarketers should never be presenting an emergency or premium number as their own. Similarly, calls coming from outside of Germany are not permitted to display a German domestic number on the recipient's device. If an international call attempts to spoof a German phone number, the German telephone providers must suppress or remove the false number before connecting the call. (The only exception is for genuine German mobile numbers used by customers roaming abroad, which are allowed – e.g. if a German mobile user calls from overseas, their number can still show.) These "DNO" rules help ensure that when a German number shows up on caller ID, the call is actually originating from that number's rightful owner or at least from within Germany. As a result of this policy, consumers may notice more calls coming through with "anonymous" caller ID – because illegitimate foreign calls that used to carry fake German numbers will now be delivered without any number at all or be blocked. The increase in anonymous calls is a side-effect of blocking spoofed numbers, and the regulator advises consumers that not every hidden-number call is fraudulent (some legitimate callers withhold numbers for privacy). Overall, however, the intent is to greatly reduce scam calls that rely on impersonating local numbers.

Telecom Operator Obligations

Telephone network operators in Germany bear responsibility for implementing these caller ID authentication and blocking measures. They had to upgrade systems by December 2022 to comply. Providers must ensure that outgoing calls from their network include valid caller information and that they do not alter or fabricate caller IDs in transit. Likewise, if they detect incoming traffic from abroad with German spoofed IDs, they must strip the ID or drop the call as per the rules. These carrier-level steps complement the legal duties on callers themselves. Together, they aim to prevent caller ID abuse at both the source and network level.

Requirements for Call Centers

For call center operations, these regulations mean that any outbound dialing systems must be configured to present an authorized caller ID (one that belongs to the calling company or client) and never dial out as "unknown number" for marketing campaigns. Call centers should coordinate with their telecom providers to obtain suitable numbers for outbound campaigns (for example, obtaining a block of numbers or a specific presentation number for return calls). They must also refrain from techniques like rotating fake numbers or disguising their identity – such practices would violate both the UWG/TTDSG rules and telecom law. In summary, German law mandates transparency and truthfulness in caller identification: the called party should be able to see a legitimate number and identify who is calling, and the telephone networks have mechanisms to intercept blatantly fake caller IDs.

Outbound calling operations in Germany must also comply with robust data protection regulations. The EU General Data Protection Regulation (GDPR) applies in full, and it is supplemented by Germany's national law, the Bundesdatenschutzgesetz (BDSG). These laws govern how personal data (such as phone numbers, names, and call recordings) are collected, used, and protected in the context of telemarketing or call center activities.

GDPR Applicability

Since Germany is an EU member state, the GDPR is the primary framework for data protection. GDPR covers any processing of personal data of individuals in Germany, whether by domestic companies or foreign companies targeting the German market. This means call centers or companies making calls to German residents must follow GDPR rules regarding lawful basis, transparency, security, etc. The territorial scope of GDPR (Article 3) is broad – even a call center located outside the EU is subject to GDPR if it is calling individuals in Germany for marketing (offering goods/services to people in the EU). Such foreign companies without an EU establishment are typically required to appoint an EU representative under GDPR Article 27, to act as a local contact for data subjects and regulators. In practice, any company (domestic or foreign) conducting outbound calls to German residents will be processing personal data (e.g. a person's name, phone number, and call logs), so GDPR rules must be followed alongside the call-specific rules.

Consent and Legal Basis

There is a close interplay between the telemarketing consent under UWG and the consent under GDPR. In fact, to call a consumer, a company usually must have that person's prior consent for marketing – this satisfies both the UWG requirement (permission for the call) and provides a lawful basis under GDPR (consent for processing the phone number for marketing purposes). GDPR defines consent strictly (it must be freely given, specific, informed, and unambiguous). In Germany's context, if a consumer has not consented, the call cannot be made at all due to UWG; conversely, if a valid UWG consent exists, that likely constitutes valid GDPR consent to use their contact data for that call. There are limited situations (like B2B calls) where a company might try to rely on legitimate interest (Art. 6(1)(f) GDPR) instead of consent – for example, calling a business contact where an implied consent is assumed. However, this is risky and strictly evaluated, as unsolicited calls can easily infringe privacy. Generally, explicit consent is the gold standard for telemarketing data processing. If consent is the basis, the GDPR gives individuals the right to withdraw consent at any time, and if they do, the company must stop processing (stop calling).

Data Subject Rights and Transparency

GDPR mandates that individuals be informed about the processing of their personal data. In practice, if a company obtained someone's phone number (say via a website sign-up or a contest entry where they agreed to be contacted), the company must have provided a privacy notice explaining how the data will be used (e.g. "we may call you about our products") and other GDPR information (contact details of the company, data protection officer, rights, etc.). When making the call, if the individual asks, the caller should be able to identify the data controller (the company) and possibly refer them to where they can read the full privacy policy. Individuals have the right to access their data (they can request, for example, "what information do you have about me and where did you get my number?"), and the company must respond. They also have rights to rectification and erasure – if someone says "please delete my number, I don't want any more calls," the company must honor that (as long as no other legal necessity to keep it). In telemarketing, it's common and advisable to immediately add such individuals to an internal suppression list to avoid future calls, and then delete their contact info if appropriate. Opt-out mechanisms should be easy; for instance, if a person says during the call "remove me from your list," this should be recorded and respected. Additionally, if calls are made based on legitimate interest (in B2B scenarios), the called party has a right to object to the processing of their data for direct marketing at any time, and if they do, the company must cease (GDPR Art. 21(2) gives an absolute right to object to direct marketing).

Data Security and Handling

Companies must protect any personal data involved in outbound calling. This includes securing databases of phone numbers and customer profiles, as well as safeguarding call recordings or call notes. GDPR requires appropriate technical and organizational measures to ensure confidentiality and prevent unauthorized access. In a call center environment, this means access controls so that only authorized staff see personal data, using encryption or secure lines for data transmission, and training employees on data protection. If call centers record calls (for quality assurance or training), those recordings are personal data and potentially sensitive – they must be stored securely, and access should be restricted. Under telecommunications secrecy laws (incorporated in the TTDSG and TKG), the content of communications is specially protected, which means that call recordings or detailed call content should not be shared or used beyond permissible purposes.

Bundesdatenschutzgesetz (BDSG) Specifics

The BDSG is Germany's national data protection act that works alongside GDPR, mainly filling in some areas where GDPR allows national variation. Some additional requirements in Germany under the BDSG that are relevant:

Data Protection Officer (DPO)

Germany has a lower threshold for mandatory appointment of a DPO in companies. Under BDSG §38, any company with 20 or more persons regularly involved in processing personal data must appoint a Data Protection Officer. This is often applicable to call centers, since typically a call center with 20+ agents handling personal data would trigger this requirement. The DPO advises the company on GDPR/BDSG compliance, trains staff, and serves as a contact point for regulators and data subjects. (Even below that threshold, if the processing is extensive or involves special data, a DPO might be needed, but 20 persons is a clear rule in Germany.)

Employee Data and Call Centers

If the call center's own employees' data is in question (like monitoring calls for performance), BDSG §26 covers employee data protection. But for customer data, the general GDPR rules apply.

Consent Forms

The BDSG (and German law in general) tends to be strict about the form of consent. For certain types of processing, written consent may be recommended. While GDPR allows oral consent, in telemarketing it's practically necessary to have written/electronic proof (also because of UWG's documentation duty). Companies should ensure any consent language meets GDPR standards and isn't hidden in fine print (as noted, German law invalidates pre-formulated "opt-out" style consents).

Fines

Enforcement of GDPR in Germany can lead to heavy fines as well (up to €20 million or 4% of global turnover for major violations, per Article 83 GDPR). If a call center misuses data or calls people without a lawful basis, it could potentially face not only UWG fines from BNetzagentur but also GDPR fines from data protection authorities. In practice, the BNetzagentur tends to handle the calling aspect, and data protection authorities (such as the BfDI or Länder data protection officers) handle personal data issues, but companies should be aware of both. So far, the major fines for telemarketing in Germany have been under the UWG regime, but GDPR enforcement is an ever-present risk if, for example, a company buys phone lists without proper consent or fails to honor deletion requests.

In summary, Germany's data protection laws (GDPR/BDSG) impose comprehensive obligations on any company conducting outbound calls. Firms must have a legitimate basis (ideally consent) to call, provide transparency, respect opt-outs and deletion requests, secure the data, and possibly appoint a DPO. These requirements dovetail with the telemarketing-specific rules: only by satisfying both the competition law (UWG) and data protection law can outbound calls be legally compliant.

In addition to the above legal frameworks, there are practical regulations and guidelines governing how call centers must conduct outbound calling campaigns in Germany. These cover when calls can be made, how consumers must be treated during calls, and certain sector-specific rules for particular industries.

Permissible Calling Times

German law itself does not explicitly specify exact calling hours in the statutes, but industry codes of conduct and general principles of fairness set clear expectations. Telemarketing calls should be made only at reasonable times so as not to disturb consumers inappropriately. According to voluntary guidelines endorsed by major telecom and marketing associations (e.g. BITKOM's telemarketing code), consumers should generally be contacted on weekdays between 08:00 and 20:00, and on Saturdays roughly 09:00 to 18:00. Calls on Sundays or public holidays are off-limits in these guidelines, and late-night or very early morning calls are considered intrusive. In practice, if a company were to call a private individual late at night or on a Sunday without a very good reason or specific consent for that time, it could be deemed harassment. Regulators and courts might view such conduct as aggravating the "nuisance" factor. Therefore, reputable call centers restrict their dialing to normal business hours or early evening at latest, unless an individual has explicitly requested a call at a different time. Sticking to these time windows is considered a best practice for compliance and is in line with consumer expectations in Germany.

Identification of Caller and Purpose

When a telemarketing call is made, the caller must promptly and truthfully identify themselves and the company they represent. This is part of both legal compliance and fair business practice. Typically at the start of the call, the agent should state their name (or an ID) and the company's name, and ideally the purpose of the call (that it is a marketing or information call). Misleading the recipient about who is calling or why is illegal under deception/fair-trading laws. In fact, some of the hefty fines issued by Bundesnetzagentur were related not only to unsolicited calls but also to callers falsely presenting themselves – for example, telemarketers who pretended to be calling on behalf of the person's current energy supplier to gain trust. Such tactics violate transparency requirements. Thus, honesty in caller identification is a must: the recipient has the right to know the true identity of the caller and not be misled. Moreover, as noted, the phone number presented must be one that connects to the company. Often, companies will provide a callback number or have their customer service line displayed on caller ID, so that consumers can call back or verify the call's legitimacy. BITKOM's code requires that the transmitted number be either toll-free or at standard local rates for a callback. This ensures consumers are not charged a premium to return the call or opt out.

Consent Confirmation and Call Content

During a marketing call, if the consumer has any doubt or disputes having given consent, the call center agent should have a protocol to handle that – typically, politely terminate the call and note that no further contact should be made. The new §7a UWG documentation rule means the company should have evidence of that person's consent; if the consumer challenges it, it may signal that consent was improperly obtained or expired, and continuing the call could compound the violation. Call centers are trained to be cautious: if a callee says "I never agreed to this call," the agent should apologize and end the call, and the number should be flagged for no further contact unless proof of consent can be double-checked. Additionally, certain business sectors have special rules due to the nature of their sales tactics or past abuses:

Energy and Telecom Contracts

The energy sector has had problems with aggressive telephone sales and "slamming." As a result, since 27 July 2021, energy supply contracts with household customers cannot be concluded solely by a phone call – even if a sale is agreed on the phone, it must be confirmed in text form (e.g. email or letter) by the customer to be valid. This is mandated by §41b of the Energy Industry Act (EnWG). If a company tries to switch a customer's electricity or gas service based only on a phone agreement, that contract is legally void unless and until the customer confirms in writing afterward. This rule was introduced to curb fraudulent switchovers. It effectively means a call center can pitch an energy contract, but they must follow up with a written confirmation that the customer returns (or an electronic signature) before it's binding. Telecom (phone/internet) providers similarly must provide a contract summary and get a confirmation, per EU law, though the process may allow confirmation by verbal consent recorded plus a written summary – but energy is stricter in requiring text confirmation.

Financial Services

In insurance or financial product telemarketing, companies must also be careful. There are sectoral regulations (like the Insurance Contracts Act) that require certain disclosures and sometimes a 14-day cooling-off period for agreements made over phone. Some financial calls (investment products, for example) might even be restricted by securities law from cold calling. While not an outright ban, these sectors have additional compliance steps (providing documentation, risk warnings, etc.).

Lotteries and Subscriptions

Germany has cracked down on lottery scam calls and unwanted magazine subscription calls. Any prize promotion or lottery phone call is considered high-risk under UWG, often requiring explicit consent and clear opt-out information. A 2009 reform targeted such "special distribution forms" (besondere Vertriebsformen) and increased penalties for those as well.

Automatic Dialing/Robocalls

Using automated dialing systems that play a recorded message (robocalls) for marketing is prohibited without prior consent. Under the EU e-Privacy rules (implemented in Germany via UWG and TTDSG), automated calling machines fall under the same or even stricter consent requirement. So outbound IVR messages can only be sent to people who knowingly agreed to receive that sort of call. (The question focuses on outbound calls with presumably live agents, but it's worth noting that prerecorded telemarketing calls are generally not allowed unless explicitly authorized by the recipient.)

Call Recording and Monitoring

Many call centers record calls for training or quality assurance. In Germany, call recording is highly sensitive due to both data protection and the right to privacy of conversation. If a call is being recorded, the person on the line must be informed at the start and given a choice. Typically, an agent will say, "This call may be recorded for quality purposes." Simply continuing the call after that may be taken as implied consent, but best practice is to allow the customer to opt out (for example, by saying "If you prefer not to be recorded, please tell us or hang up"). Secretly recording a phone call without informing the other party is illegal (it can even be a criminal offense under §201 of the German Criminal Code for violating the privacy of the spoken word). So, call centers should always be transparent about recording. Moreover, if the customer objects, the agent should disable recording. From a GDPR perspective, recording is separate processing that likely requires its own justification (often the company's legitimate interest in training/customer service, balanced against the customer's rights – if a customer says they are not comfortable, the balance tips in favor of stopping the recording). Additionally, any recording that is kept is personal data and must be protected and eventually deleted per data retention policies. Companies also often have policies to not record the portion of a call where sensitive data like credit card numbers are read (to avoid storing such information in call files).

Outbound Call Frequency and Auto-Dialers

Regulations also address that consumers should not be harassed by repeated call attempts. If a person doesn't answer, excessive repeat calls can become harassment. While not explicitly legislated in number, the principle of proportionality applies. Industry guidelines might say not to call more than a certain number of times in a day or week if there's no response. Auto-dialing systems (predictive dialers) must be configured to drop a call attempt after a few rings (BITKOM's code even specified standards for how long the phone should ring – long enough for the person to answer, but not so long as to be a nuisance). There are also rules to minimize "silent calls" (when an auto-dialer connects but no agent is free, resulting in silence to the called party). Persistent silent or abandoned calls can lead to complaints and potential action by BNetzagentur under nuisance call provisions.

In summary, beyond the black-letter law, Germany expects outbound calls to be made responsibly and respectfully. Call centers should limit their calling to reasonable hours, clearly identify themselves, ensure they have consent, allow no pressure or deception, and follow any special rules that apply to their industry. Many of these practices are encapsulated in self-regulatory codes, and adhering to them not only helps avoid legal trouble but also improves consumer relations and reduces complaints.

Several authorities and bodies oversee and enforce the above regulations in Germany, reflecting the multidisciplinary nature of outbound call regulation (consumer protection, telecommunications, and data privacy). The key players include:

In summary, Germany employs a multi-pronged enforcement structure for outbound call regulations:

• The Bundesnetzagentur is the chief telecom enforcer handling complaints and issuing fines for illegal calls and CLI manipulation.
• Data Protection Authorities (federal BfDI and state counterparts) ensure GDPR/BDSG compliance, which underpins lawful call practices.
• The Wettbewerbszentrale and consumer groups monitor and litigate unfair practices, adding pressure on companies to comply.

All these bodies are backed by a strong legal framework and courts that support consumer privacy. Companies engaging in telemarketing in Germany should be prepared to deal with inquiries or audits from any of these regulators and should stay abreast of guidance they publish.

Unlike some countries, Germany does not require telemarketers to obtain a special telemarketing license or to register in a central outbound calling database. However, there are a few registration and consultation obligations that companies should be aware of:

Trade/Business Registration

Any call center or business operating in Germany must of course be a legally registered business (e.g., in the commercial register if applicable, and with local trade office (Gewerbeamt) if it's a trade). This is a general requirement for doing business and not specific to calling, but it means foreign companies setting up a call center in Germany need to properly establish a local entity or branch.

Telecom Services Notification

If a company were itself providing public telecommunications services, it would have to notify the Bundesnetzagentur under §6 TKG (Telecom Act). However, a call center using telephone lines to call customers is not typically considered a telecom service provider (it's a user of services), so in general telemarketing firms do not register with BNetzA as telecom operators. They simply purchase phone service (SIP trunks, PRI lines, etc.) from licensed telecom carriers who have the duty to register. One exception could be if a call center operates its own autodialer that places calls en masse, they might need number ranges – but those number ranges are assigned by BNetzA to their carrier or sometimes directly to large users. If a company needs its own block of numbers (for example, to show different regional numbers), it might apply to BNetzA for number allocation, but usually that's done through a carrier.

Robinson List & Robinson Club Registration

As mentioned, there's no official "Do Not Call" list to register for. However, companies that engage in direct marketing often voluntarily adhere to the Robinson list (for mail) managed by DDV. If a company wanted to scrub its mailing list against the Robinson list for mail or email, it would register with the DDV service to get access to that list. For telephone marketing, since no Robinson list exists, there's no similar registration. Companies rely on their internal databases of consents. It is wise for companies to implement an internal suppression list for phone numbers: a database or list of numbers that should not be called (either because the person opted out or the number proved invalid/unreachable or was a complaint, etc.). Maintaining such a list is in fact a part of GDPR compliance (respecting objections) and good customer relations. This internal "do-not-call" list should be checked before any campaign is run. Typically, list management software or dialers have features to automatically avoid numbers that are flagged.

In summary, there is no government-run telemarketing registry to sign up for or consult in Germany due to the opt-in nature of the law. The onus is on each company to maintain proper records of who can be called and who cannot, and to ensure their calling lists are up-to-date and cleansed of any contacts lacking consent. Companies should implement strong internal database checks before dialing, and possibly use available industry opt-out resources (like the Robinson list for postal mail or general marketing objections) as an extra precaution, even if those are not legally required for phone calls.

Germany's outbound call regulations apply not only to domestic companies, but also to foreign companies that target German consumers or businesses with telephone calls. The enforcement can be more challenging across borders, but legally, the requirements are largely the same:

Telemarketing Rules Have Extraterritorial Reach

If a company outside Germany (say, a call center in another country) is making calls into Germany to sell products or services, it must abide by the German UWG telemarketing rules. In other words, it needs prior consent from German consumers just as a German company would. The fact that the dialer or agents are abroad does not exempt the activity from German law when German recipients are called. Bundesnetzagentur has in the past coordinated with foreign regulators to tackle call centers located abroad that were harassing German consumers. While BNetzA's ability to directly fine a non-German entity might be limited, they can, for instance, work to have German carrier gateways block certain numbers or collaborate through international enforcement networks. From the company's perspective, it's safer to assume the strictest rules apply if you're calling Germany.

GDPR and Data Transfers

As noted, GDPR applies to foreign companies that process data of people in the EU. So a telemarketing firm outside the EU calling German individuals is definitely under GDPR scope (this is the "targeting criterion"). Such a company would need to appoint an EU representative (an individual or firm within the EU designated to handle data protection matters for it). The EU representative's contact should be given to data subjects or authorities upon request. Additionally, if the call center is outside the European Economic Area, any personal data transfer (like sending the list of German customer phone numbers to that call center) is a cross-border data transfer under GDPR Chapter V. This means the controller must ensure an adequate transfer mechanism is in place – for example, the country might have an EU adequacy decision (few do), or more commonly the company must sign EU Standard Contractual Clauses (SCCs) with the overseas call center or branch. Also, since the Schrems II decision, companies must assess the risk to data in the destination country. Practically, a foreign telemarketing provider calling Germans will likely have SCCs in their contract with the client and possibly implement extra safeguards like data pseudonymization or access controls, to satisfy GDPR requirements.

Local Representative or Branch for Compliance

Foreign companies without any German presence should consider engaging a local legal representative not just for GDPR, but also to handle any issues with German authorities. For instance, if BNetzA gets complaints about a foreign number calling people, they might publicize that or try to reach the company through whatever contacts they find. If the foreign company has a branch or a contractor in Germany, that could become a point of enforcement. Also, under German law, if a foreign entity commits an administrative offense in Germany, it might still be fined if it has assets or some operation in Germany that can be targeted. Moreover, German consumer law can allow suing a foreign company in German courts if German consumers are affected. Therefore, foreign firms should ideally have a German/EU-based agent for handling such compliance issues and should proactively follow German rules to avoid trouble.

Calling Number Presentation for Foreign Callers

The new rule from Dec 2022 about foreign calls not showing German CLI (caller ID) is directly relevant to foreign call centers. If a call center abroad tries to display a German phone number (perhaps to look local or because it's representing a German company), German telecom networks will likely strip that number off. This could result in the call appearing as "anonymous" to the recipient or being blocked entirely. This means foreign companies should not spoof German numbers. If they want a German contact number for customers, they might need to route calls through a VoIP gateway in Germany or provide the number verbally during the call instead. To be compliant, a foreign caller can either present no number (not great for pickup rates and may violate the no-suppression rule if it's marketing) or present a foreign number that is reachable. However, calling with a hidden number for marketing is illegal in itself, so foreign telemarketers are in a bind if they can't show a German number. The proper solution is often to partner with a German telecom provider: for example, obtain a German telephone number and originate calls through that provider's network (so the call actually comes from a German source with a German CLI). Some companies establish VPN or internet lines into Germany to originate calls locally, which then requires compliance with German telecom rules but avoids the CLI blocking. In any case, foreign companies must ensure their calling practices technically align with the new measures or their calls may not even get through.

Consumer Perception and Language

While not a legal requirement per se, foreign companies should be aware that calling German consumers in English (or from a far-off call center) can raise suspicion. It's best practice to have German-speaking agents and follow cultural norms (including time zones – e.g. calling at appropriate German local times). A foreign company is held to the same standards of professionalism on the call as a local one; if they violate etiquette (like aggressive scripts, or not giving proper company information in German), they are likely to prompt complaints which bring regulators into play.

EU e-Privacy Law Alignment

Germany's rules on telemarketing are actually a bit stricter than some other EU countries (which might allow an opt-out list for calls). But any company targeting EU consumers will have to also consider the e-Privacy Directive (2002/58/EC) as implemented in each country. For calls into Germany, the German implementation (UWG & TTDSG) is what matters – which is an opt-in regime. So a foreign company cannot say "in our country it's legal to call without consent, so we did it" – that defense won't hold for calls to German numbers.

In short, foreign companies must play by German rules when calling German numbers. They should secure explicit consent from German prospects before calling, comply with GDPR for any data involved, and adapt their caller ID and calling practices to German standards. Additionally, they should be prepared to cooperate with German authorities or their EU representative in case of any complaints or investigations, as enforcement is increasingly international.

Given the complexity of regulations, companies engaging in outbound calls in Germany should adopt robust compliance practices. Below is a summary of best practices to ensure adherence to Do Not Call rules, caller ID regulations, and data protection requirements:

Obtain and Document Explicit Consent

Before calling any private individual, make sure you have their verifiable opt-in consent for telephone marketing. Keep records of when, where, and how that consent was obtained (e.g. save web form submissions or call recordings where consent was given) and store this evidence for at least 5 years. If using purchased lead lists, insist on documentation that each contact consented to be called for marketing and was informed about your company (third-party consents are tricky – ensure they meet legal standards). Periodically refresh consents if they get old, and immediately honor any withdrawal of consent. For B2B contacts, document the rationale for presumed consent (e.g., "Client inquired on our website about X product on 01/05, hence call on 01/10"); when in doubt, it's safer to ask for explicit consent.

Scrub Calling Lists and Honor Opt-Outs

Maintain an updated Do-Not-Call list internally. Before any campaign, filter out: Anyone who has opted out or revoked consent. Numbers on any relevant Robinson lists (for caution, though not legally required, it shows diligence). Duplicate numbers (to avoid excessive calling). Numbers that are obviously sensitive (emergency numbers, etc., which you shouldn't have anyway). If someone during a call says "Don't call me again" or later emails to opt out, immediately add them to the suppression list. Train agents to handle opt-outs courteously and efficiently. Additionally, regularly validate the phone numbers – remove those that are no longer in service or have changed owners (to avoid calling a new user who never gave consent).

Use Proper Caller Identification

Always display a valid phone number where your company can be reached when making calls. Do not block or withhold your number on outbound telemarketing. Ensure the number belongs to your organization (or the client you represent) and is one that someone can call back and reach an agent or at least an IVR identifying the company. Ideally, use a local or toll-free number to encourage recipients to answer and to comply with BITKOM's code (which suggests providing a free/standard rate callback number). If your call center is abroad, work with telecom providers so that a German number can be presented via legal means. Under no circumstances use a fake caller ID or a number that would mislead (e.g., don't display "110" or a random person's number). Implement technology to block any call attempt that would violate the new spoofing rules (for example, your dialer should not allow an outbound call with a German CLI if the call is routed from a foreign gateway). Test your calls to ensure the caller ID shows up correctly on German phones.

Comply with Calling Time Restrictions

Adopt a calling schedule that respects recipients' time. As a rule of thumb, restrict calls to Monday–Friday 8am–8pm and Saturday 9am–6pm, and avoid Sundays and holidays. Also avoid early morning and late evening within those ranges if possible (e.g., many companies prefer not to call after 7pm). If a customer has indicated a preferred time or "do not call after work," follow those preferences. Limit the number of call attempts per contact – for instance, if someone doesn't pick up after 3 attempts on different days/times, stop calling unless you obtain a better time from them through another channel. Such policies prevent annoyance and potential complaints.

Train Call Center Staff Thoroughly

Your calling agents should be well-trained on compliance. They need to know that they must identify the company and purpose of call upfront, that they must check if the customer is okay to continue (especially if the person sounds busy or distressed), and that they must immediately respect a request to end the call or be removed from the list. Provide them with scripts that include a concise consent verification if needed (e.g., "According to our records, you opted in to receive a call about our offers – is that correct?"). Agents should never pressure someone who says no, and should avoid any deceptive tactics (like pretending the call is a survey if it's actually sales – that can lead to legal trouble). Additionally, train them on data protection basics: if someone asks about their data or how you got their number, agents should know the proper explanation or whom to refer to.

Ensure Privacy Compliance in Operations

Implement GDPR principles in your call center operations. This includes providing a privacy notice to contacts (often this is done at the point of data collection – e.g. on the web form where they gave their number). If leads are collected by phone, you might send a follow-up SMS or email with a link to your privacy policy. Appoint a Data Protection Officer if required (likely yes, if you have a sizable call operation with lots of data). Keep a record of processing activities documenting your direct marketing processes. Only use the data for the purpose consented to; e.g., if someone consented to calls about product A, don't also call them about unrelated product B without new consent. Implement data security measures like secure storage for call lists, encrypted connections for remote agents, and policies for deleting data that's no longer needed (don't hoard old phone numbers indefinitely unless you have a reason, especially if consent has expired or been withdrawn).

Monitor and Audit Your Campaigns

Have a compliance manager or team periodically audit call recordings and practices. Check that agents are indeed stating the company name and not deviating into misleading statements. Verify that the dialer is filtering out those who shouldn't be called. Conduct spot checks: for example, ensure that for a sample of called numbers, you have a corresponding consent record on file. These internal audits can catch issues early. Also, monitor complaint channels – if you see complaints on social media or to your customer service about unwanted calls, react promptly to fix the underlying issue (and to appease the unhappy recipient before they escalate to authorities).

Keep Abreast of Regulatory Changes

Regulations can evolve. For instance, the introduction of §7a UWG in 2021 and the TTDSG in 2021 were new. The EU is also working on an ePrivacy Regulation which might eventually update telemarketing rules across Europe. Stay updated by following communications from Bundesnetzagentur (they often publish annual reports on telemarketing enforcement) and guidance from data protection authorities. Also, court decisions (like recent BGH rulings on consent) refine the interpretation of the law. Compliance is an ongoing process – what was sufficient yesterday may need improvement tomorrow.

Plan for Cross-Border Considerations

If using an offshore call center, ensure they understand German-specific rules (perhaps provide them a German law compliance module in training). Put in place contractual agreements that the vendor will follow GDPR and UWG requirements. Also, set up your telephony such that it complies with German network rules (for example, routing through a trusted provider). Consider establishing a small presence in the EU to handle issues, or use an outsourced EU representative service for GDPR if you have no office in the EU.

Have a Response Plan for Complaints or Investigations

Despite best efforts, you might get an inquiry from BNetzA or a data protection authority if someone complains. Be prepared to swiftly furnish evidence of consent and compliance. This means your record-keeping should allow you to pull up the consent form or database entry for a specific phone number quickly. Respond cooperatively and thoroughly to regulators – providing all requested information (BNetzA, for example, may ask for call logs, consents, and your justification for calls). Prompt, transparent responses can sometimes resolve issues without further action, whereas ignoring or delaying can escalate matters.

By following these best practices, companies can significantly reduce the risk of violating Germany's outbound call regulations. In essence, respect the customer's choices and privacy at every step – only call if you're truly welcome, be transparent about who you are, give customers control during the call (ability to opt out or ask questions), and protect their data like a valuable asset. Not only will this keep you on the right side of the law, it will also likely improve the effectiveness of your telemarketing, since you'll be engaging with more receptive and trusting consumers.