Author: Dr. Katy Ritzmann,

Legal basics for establishing business activities in Germany

After successfully having set up a company, the operation of the newly founded entity will have to comply with further legal provisions. These include company internal matters, such as how the bodies within the company are structured and how the relationship between the shareholders is organized. Other startup-relevant legal issues concern the compliance of the operative activities of the company with the regulatory framework, particularly in the digital domain, as well as legal provisions around competition and consumer laws.

Company internal matters

The relationship between the shareholders – Shareholders’ Agreement

A shareholders’ agreement is a non-mandatory arrangement made as a contract among the company’s shareholders and contains a set of regulations regarding how the company should be operated, as well as the shareholders’ rights and obligations. The shareholders’ agreement clarifies in much broader detail several points which are already known from the Articles of Association (AoA). However, it also adds further points which are not meant to be public. A shareholders’ agreement remains an internal agreement between the shareholders of the company. It can also include further detailed information on the regulation of the shareholders’ relationship, the management of the company, relevant rulings concerning how to deal with the shares, how to deal with dividend payments, voting rights, as well as further privileges and protections of the shareholders.

The managing director serves as the legal representative for external relations, as well as the manager of the day-to-day businesses. He / she is under the supervision of the shareholders. Appointments and removals of managing directors are usually made by an official resolution of the shareholders. They take effect only from the moment such resolutions are submitted to and accepted by the commercial register (and become public).

In principle, also foreigners may be appointed managing directors of a GmbH. If the company is managed from Germany, such persons must have the required residence and work permits for Germany. If a foreigner is to manage the company from abroad, that person may be appointed managing director only if he / she is able to enter Germany at any time without the need for a visa. In their capacity as the representative of the GmbH, managing directors must comply with numerous legal and business duties. Certain provisions of the relevant law restrain the leeway of the directors and have to be properly taken into consideration, to make sure not to be found personally liable for not acting in compliance with the law (e.g. in cases of unlawful distribution of proceeds, undue and improper accounting, insolvency filing, etc.).

The legal standard for examining the conduct of the directors is “the due care of a prudent and professional businessman”. The managing director is responsible for the organization of the GmbH in a way which ensures that all legal requirements are properly fulfilled. In addition, the organizational system has to be sufficient for the managing director to fulfil his legal and business duties properly.

The shareholder(s) or the shareholder’s meeting is the main and the most important body of the GmbH. In contrast to the German Stock Corporation (Aktiengesellschaft, or AG), the GmbH shareholders have almost complete freedom to control and manoeuvre the existence and structure of the company through instructions they give to its managing directors.

The shareholders must comply with the Articles of Association and the obligations imposed on them by law, such as amendments of the Articles of Association in certain scenarios, nominating or removing the managing director, approvals of the financial statements, capital reserve measures, issuing new shares, dissolution of the company, etc. The shareholders’ main and fundamental rights are the right of ownership and the right of participation in the proceeds of the company.

Thus, holding a share in the company entitles the shareholder to fiduciary rights as well as to participating rights that are related to the decision- making mechanisms. Decisions in the shareholders’ meeting are taken by voting. Usually, one share equals one vote. The law stipulates special requirements in terms of the minimum voting majority required for resolutions concerning specific issues, such as the amendment of the Articles of Association or the dissolution of the company. Otherwise, resolutions are passed with a simple majority, unless otherwise agreed to by the shareholders, or in the Articles of Association. Generally, every natural or legal entity can be a shareholder in the GmbH. This also includes foreign entities or individuals with foreign nationality.

A one-man-GmbH foundation with a legal entity as the sole shareholder is also possible. Furthermore, a trustee can hold the shares in trust for the actual beneficial shareholder.

A supervisory board is not a mandatory requirement for a GmbH, besides a few exceptions, which are not relevant for startups and young companies. Nevertheless, the articles of association, as well as the shareholders’ agreement, may voluntarily prescribe the establishment of a supervisory board to assist the shareholders and monitor the management as an internal corporate governance measure.

Compliance with legal provisions in the operation of the company

  1. Regulatory provisions for digital companies:

Depending on the business field the German company is operating in, certain regulatory provisions can be relevant. As mentioned before, the offering of certain financial services requires a license issued by the German Federal Financial Supervisory Authority (BaFin).

Crucially, this concerns not only FinTech companies as such but also other company models which would not consider themselves providers of financial services. That is to say, companies may be obliged to apply for a BaFin license due to provisions in the German Banking Act (Kreditwesengesetz, KWG), Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, ZAG) or the Capital Investment Code (Kapitalanlagegesetzbuch, KAGB). Yet, the general rule is that companies are obliged to apply for the relevant license if they conduct banking business or provide financial services. FinTech ventures are highly likely to fall under one of those regulatory obligations. Nevertheless, even if no financial regulation by BaFin is relevant, a company might still be obliged to apply for a license according to trade regulations (Gewerbeordnung). An online platform for food deliveries, for instance, is obliged to apply for a license, if its customers do not pay the delivery service directly but through the platform by using digital payment systems like PayPal.

Remember: Violation of regulatory provisions can have severe consequences for the company and its management. Operating without a required license may entail personal liability and be an obstacle with regards to future applications for a license. Moreover, competitors could sue for an in- junction and creditors might seek damages and declaratory judgments against culprits. Ask your lawyer about the need for specific licenses and the implementation of regulatory provisions in the operating business of your company.



  1. Consumer laws in Germany:

Anyone who sets up a company in Germany and sells a product or provides a service to consumers has to follow certain rules. In Germany, the national law, as well as European consumer laws, must be complied with in all cases. As a general rule, consumers enjoy extensive protection in Europe. Consumer laws are applicable to agreements and situations between a consumer and an entrepreneur.

A consumer is defined as any natural person who concludes a legal transaction for purposes that are predominantly not attributable to his commercial or self-employed professional activity, regardless of whether the goods sold are in fact consumer goods or not. An entrepreneur is any natural or legal person or a partnership with a legal capacity which, when offering or concluding a legal transaction, acts in the exercise of its commercial or self-employed professional activity. Some of the following points are not only relevant for business the German company may conduct with consumers, but may also be relevant in general. The following summary is not exhaustive but outlines the most important provisions.

  1. Sale of goods and services:

The main pillars of consumer protection in purchase agreements are revocation, warranty and guarantee regulations. The relevant principles are set by strict statutory rules that are further detailed by specific jurisdiction. When it comes to contracts that are done via e-mail, via phone, via the internet or by any other means of distant communication, consumers usually have the right to revoke from the contract within 14 days without a specific reason.

In a glimpse, the period of 14 days starts only when the consumer has received the goods or if digital content was purchased, with the conclusion of the contract. If the contract is not a purchase agreement or not a purchase agreement for goods, but specific other services, the details around the right of revocation may change, but will still remain strict. Provisions like this may seem rather irrelevant in the beginning. But given that there is clearly no way of going around these provisions, each case brought to court would not only oblige the company to give the consumer-customer his money back, but also bears the obvious risk that a competitor or an association taking care of consumer rights in Germany will instigate a lawsuit for cease and desist and payment of damages. Thus, these provisions should not be ignored. Moreover, if the company does not properly inform the consumer about his/her revocation rights, the consumer has the right to revoke from the contract even after the regular period of 14 days, sometimes even after years. Implementing those provisions into one’s business model allows to factor the commercial outcome of it into one’s business plan. Provisions like the right of revocation lead to a certain share of goods being sent back to the company, which may be higher than in other countries where no statutory rights of revocation exist.

One other major point in contracts with consumers are warranties. The seller has an obligation, even if it is not explicitly stated in the contract, to warrant that the product or service sold is free of material and legal defects. If the goods delivered to the consumer are defective, consumers have several options: they can demand reparation, delivery of a new item, price reduction or they can return the item and revoke/reverse the transaction under certain additional conditions. The rights of revocation and warranty are inalienable. Guarantees, which are often used as a marketing tool, have legal implications as well. If a company voluntarily offers a guarantee for a product, it is bound by such a guarantee, even if the seller just mentioned the guarantee in the advertisement for the product and the consumer bought the product because of it.

  1. Competition law – Unfair business practices:

Whether consumers are purchasing goods or services on the internet or at a shop, EU regulations protect them against unfair business practices. This is not only meant to protect consumers but also to ensure a measure for self-regulation in the market. If a company applies unfair business practices, each competitor of the company and associations protecting consumer rights is entitled to go after the company with e.g. warning letters. They may even file lawsuits in order to prevent the company from applying business practices that are deemed unfair and against the law.

Unfair business practices are defined in the German Act against Unfair Trade Practices (Gesetz gegen den Unlauteren Wettbewerb, UWG) as actions that do not comply with the entrepreneurial diligence and are likely to have a significant impact on the economic behavior of the consumer. A practice is considered unfair when specific measures are applied or specific situations are used by the company in order to gain an economic advantage, which the company would not have, would it behave properly and accept the rights and legal provisions of a functioning market.

Examples include misleading or aggressive practices, such as the manipulation of kids through specific advertisement, hidden advertisement, or even sending out newsletter e-mails to recipients after the recipient has communicated that he / she does not want to receive such e-mails. This is especially relevant for companies using online advertising, as this is not only an unfair trade practice but can also be considered an infringement of personal rights and a breach of data protection provisions, which may, in turn, imply huge fines for the company. Moreover, consumers are protected against unfair and / or surprising terms in general business terms or terms and conditions. Terms and conditions of German companies which limit their liability towards the customer always explicitly exclude liability for damages resulting from death or bodily harm. This is because, if any such exclusion is not made, the whole limitation of liability in the terms and conditions is deemed void, which in turn automatically leads to the unrestricted liability of the company.

  1. Data protection:

In the European Union, the collection and processing of personal data are only allowed under certain restrictions. Data can only be processed for specifically defined and legitimate purposes. As soon as the data is not needed anymore, it has to be deleted or anonymized. Notifications that are considered spam are only allowed to be sent if the consumer consented to them. Internet websites which use Cookies have to inform the users about it, ask for their consent, and allow the option for the user to deactivate the cookies. In addition, users have a right to know for which purposes the said Cookies are used. Data protection regulations come into play in every business that directly or indirectly deals with personal data, particularly in the fields of advertising, marketing, opinion research, personal profiles, personal data trading, data analysis and others. It is not only relevant for companies that are active in the B2C field and have direct contact to the persons whose data is involved but also applies to companies that pursue B2B relationships, for instance when they provide software for other companies that deal with personal data.

These firm data protection regulations are not only relevant in Germany, but all over the European Union, as they are based on EU directives and regulations. Nevertheless, some smaller or larger differences in the different EU Member States exist.

It is further interesting to note that legal provisions are not only written in the law books but are carried by a system which supports the market in regulating itself. Consumer law enforcement can in parts be executed directly by the consumers, who have the right to claim their remedies. However, as mentioned above, administrative and criminal proceedings, as well as actions of competitors and associations for consumer rights, may be implemented as well, in the case of certain violations by the entrepreneurs. Since Germany is a highly competitive and big market, it is wiser, less time and money consuming to go according to the laws, rather than fighting with all of these potential market players and regulating entities that will certainly make sure that even a new company is playing by the rules.

All in all, this chapter can only describe basic principles, and provide a short overview of relevant legal provisions when starting a business in Germany. For further details, a lawyer should be consulted.


The EU-GDPR modernizes data protection rules, responding to the rapid development of data processing technologies, while at the same time giving EU-citizens more control over their personal data. Personal data is information which can be assigned to a specific person, thus making that person identifiable, such as the name, date of birth, contact information and bank details of that person.

Additionally, data relating to the origin, political and religious views, belief, health or sexuality benefits from special protection. While granting rights to affected persons, the GDPR makes high demands on enterprises in return for the purpose of balancing powers – regardless of the size of the company. It pushes enterprises to critically examine their processing operations and implement higher standards of data protection. Substantial fines in case of a violation of up to € 20 Million or 4 percent of the worldwide annual turnover of the previous fiscal year – depending on which figure is higher – could be the consequence for not complying with the laws.

Additionally, the individual and physical scope of the GDPR is very broad: not only “controllers” (enterprises) that use personal data e.g. for their daily business in regards of customer relationship are responsible to follow the regulatory regime of the GDPR, but also data “processors” who support controllers in that respect; among other, both controllers and processors have to guarantee that technical and organizational measures for data processing are taken in accordance with the GDPR. The physical scope (“data processing”) covers “collection”, “analysis”, “storage”, “archiving” and other use of personal data.

The majority of startups use personal data as a core element of their business value chain. This processing falls within the scope of the GDPR. Under the GDPR, affected persons can obtain information about their personal data which has been stored, can claim correction, if such personal data is incorrect and can demand deletion, release or transfer of their personal data. Because of those rights, it can be considered a violation of GDPR provisions, if personal data is not disposable in case of technical malfunctions or if access to information about the personal data of the individual is not provided in a speedy manner.

Additionally, startups as well as any other enterprise are generally obliged to document all processing activities in a specific records of processing activities. SMEs with less than 250 employees are only obliged to keep such records under certain circumstances, for example if their business model is mainly based on innovative processing of personal data or associated technologies.

The documentation should be easily understandable giving due consideration to the type, extent, circumstances and purpose of the specific data processing and should also consider the different degrees of probabilities of risks for the individual in processing their personal data. The documentation may be part of a data protection management system (DPMS) which could serve as a basis for notification to the regulatory authority and to inform affected persons in case of a personal data breach. A DPMS may also serve to compile, manage and update evidence, because – in case of a (claimed) violation of GDPR rules – the burden of proof lies on the controllers and processors, which have to show that they implemented appropriate technical and organizational measures to meet the requirements of the GDPR.

In order to assess whether the processing of personal data is in compliance with GDPR rules, the key question – “Do I really need the data for business purposes?” – has to be answered positively in particular, taking into account the principles of data processing:

  • Lawfulness of the intended purpose of the processing of personal data
  • Limitation of the processing of personal data as far as possible – data processing only in so far and as long as the specific purpose for the processing is determined, unambiguous and legitimate
  • Consideration of the principle of data minimization – limit the scope of personal data to be processed to what is really required for the determined purposes
  • Accuracy of the processed data
  • Integrity and confidentiality of data processing, protecting personal data through appropriate technical and organizational measures

If an enterprise processes data regularly, systematically and comprehensively, it has to nominate or hire a data protection supervisor with the necessary expertise. The data protection supervisor has to be capable of consulting the enterprise in regard to data protection and to monitor the compliance with the GDPR (also in cooperation with the regulatory authority). Enterprises may obtain a data protection seal or mark to demonstrate their compliance with the GDPR.