German Telecommunications Act §§ 172–174
TKG Customer Data
Customer master data (Bestandsdaten) is the contractual core data that telecommunications providers must collect, retain and disclose to authorities on request. What that means in practice – legally and technically.
What is customer master data under TKG?
§ 172 of the German Telecommunications Act 2021 (TKG; previously § 111 TKG) defines customer master data as the data that providers of public telecommunications services and networks may collect and use to establish, configure, modify or terminate a contractual relationship. It refers to contractual core data – static information about the line holder.
Customer master data includes: name and address of the customer, date of birth, phone numbers and other line identifiers, IMSI numbers (SIM card identification), passwords and credentials for the customer account, and bank account or credit card data for contract handling. For corporate customers the company name, commercial register entry and the data of authorised contact persons are added.
The distinction from other data categories is essential: customer master data describes who holds a connection – not what is communicated via it. Traffic data (§ 9 TTDSG) captures connection metadata (when, how long, with which endpoint); content data is the actual communication content. Different legal bases, retention requirements and disclosure processes apply to each category.
Customer data obligations under § 172 TKG
Telecoms providers may collect and use customer master data exclusively for purposes that are directly linked to the contractual relationship: contract initiation, billing, credit assessment and technical line management. Repurposing – for instance for marketing without separate consent – is not permitted.
After termination of the contract, customer data must in principle be deleted, unless another legal basis (commercial law, tax law) requires longer retention. Telecoms providers must therefore maintain a documented deletion concept that clearly defines retention periods for each data category.
The GDPR applies in parallel: customer data is personal data subject to the principles of data minimisation, purpose limitation and storage limitation (Art. 5 GDPR). The record of processing activities under Art. 30 GDPR must reflect the processing of customer data. The TKG obligations and the GDPR requirements complement each other; they must be addressed in consolidated documentation.
Disclosure of customer data under § 174 TKG
§ 174 TKG obliges telecoms providers to issue, on concrete request, immediate disclosure of stored customer data to designated authorities. Authorities entitled to request disclosure include federal and state police, public prosecutors, constitutional protection authorities, BND, MAD and the Customs Criminal Investigation Office. The authority must state the legal basis for the request.
Customer-data disclosure must be clearly distinguished from telecommunications interception under TKÜV: while TKÜV concerns real-time interception of ongoing communication, customer-data disclosure relates only to static contractual data – typically the question of who held a particular phone number or IP address at a particular point in time.
Telecoms providers must maintain technical and organisational facilities for issuing disclosures (§ 174 (7) TKG). This includes systems to query customer data, secure transmission paths for disclosure, and internal processes for handling authority requests. Crucially: the disclosure process must be hardened against social-engineering attacks – forged official requests are a known attack pattern.
Technical protection requirements for customer data
Customer master data deserves protection from two angles: as personal data under GDPR and as a security-relevant infrastructure component under TKG. Attackers have considerable interest in customer data sets: phone-number-to-name mappings and contact details enable targeted phishing and spear-phishing attacks as well as identity theft.
Specific technical measures required: role-based access controls following the need-to-know principle with regular recertification, encryption of databases (at rest) and all transmission paths (in transit), complete and tamper-evident logging of all database accesses, and physical separation of customer master data and traffic data at the system level.
Organisationally, defined processes are required for internal access requests and external authority requests: who may query customer data? Under what conditions? Which four-eyes principle applies? How is the authenticity of authority requests verified? These processes must be documented, regularly exercised and form part of the security concept under § 166 TKG.
Customer data in the TKG §166 security concept
The security concept under § 166 TKG must satisfy the protection goals of confidentiality, integrity, authenticity and availability also with regard to stored customer data. As part of a concept review, the Federal Network Agency expects clear evidence of which systems store customer data and how those systems are protected.
The security concept should, for the customer-data area, cover at a minimum: system architecture of customer data storage (which systems, which interfaces), access controls and identity management for database access, encryption measures, logging concept, deletion concept following contract termination, and the authority disclosure process including a four-eyes principle.
Blackfort Technology produces TKG §166 security concepts that fully integrate customer-data protection – as part of a concept that is simultaneously NIS2-compliant and holds up under BNetzA reviews. The data-protection and customer-data area is a frequent weak point in existing concepts, which we analyse in review engagements.
Overview: customer data under TKG
- Legal basis: §§ 172–174 TKG 2021
- Collection only for contractual purposes (§ 172)
- Disclosure duty to authorities (§ 174)
- Obligation to maintain disclosure infrastructure
- Deletion duty after contract termination
- GDPR compliance required in parallel
- Integration into the §166 security concept
Data categories under TKG
Customer master data
§ 172 TKG – contractual core data (name, address, phone number)
Traffic data
§ 9 TTDSG – connection metadata (when, with whom)
Content data
Communication content – highest protection (TKÜV)
Related services
Request TKG consulting
Customer-data obligations, §166 security concept and NIS2 for your telecommunications business.
Arrange a consultationCross-reference
Customer data is part of the §166 security concept
Customer-data protection is not an isolated GDPR matter – it is a core component of the security concept that telecoms organisations must submit to the Federal Network Agency under § 166 TKG. We produce and review these concepts with explicit consideration of customer-data obligations.
To the TKG §166 Security ConceptFrequently asked questions about TKG customer data
What exactly is "Bestandsdaten" under TKG and which data does it include?
Customer master data (Bestandsdaten) under § 172 TKG is data that telecommunications providers may collect and use to establish, configure, modify or terminate a contractual relationship for telecoms services. This includes: name and address, date of birth, phone numbers and line identifiers, SIM card numbers (IMSI), passwords and PINs for the customer account, and payment data. For legal entities the company name, commercial register number and authorised contact persons are added.
How does customer master data differ from traffic data?
Customer master data (§ 172 TKG) is static contractual core data: who owns a line. Traffic data (§ 9 TTDSG) is connection data that arises during use: when, with whom and how long communication took place. Content data is the actual communication content. The legal bases, retention obligations and disclosure processes differ significantly per category. A customer data request under § 174 TKG has a much lower threshold than telecommunications interception under the TKÜV ordinance.
Which authorities can request customer data under § 174 TKG?
Authorities entitled to disclosure include: federal and state police, public prosecutors, federal and state constitutional protection authorities, the Federal Intelligence Service (BND), the Military Counterintelligence Service (MAD) and the Customs Criminal Investigation Office. Disclosure is provided on a concrete written or electronic request; automated bulk queries are not permitted. Telecoms providers must maintain technical and organisational facilities for issuing disclosures.
Which security measures must telecoms providers implement for customer data?
Customer data is personal data under GDPR and requires appropriate technical and organisational measures (TOMs) under Art. 32 GDPR. In concrete terms: role-based access controls following the need-to-know principle, encryption of databases and transmission paths, complete logging of all database accesses for audit purposes, strict separation of customer master data and traffic data, and secure processes for authority requests (protection against social-engineering attacks using forged official requests). These measures must also be documented in the TKG §166 security concept.
How must customer data be addressed in the TKG §166 security concept?
The security concept under § 166 TKG must satisfy the protection goals of confidentiality, integrity and availability in respect of stored customer data as well. In practice this means: documentation of which systems store customer data, description of access controls and encryption measures, evidence of logging and audit mechanisms, and a deletion concept following contract termination. The Federal Network Agency (BNetzA) audits the protection of customer data sets as part of §166 audits.
Kontakt aufnehmen
TKG-compliant customer-data processes
From documenting customer-data obligations and producing the §166 security concept through to NIS2 compliance – we know the TKG requirements from practice.