Hacker News new | comments | show | ask | jobs | submit login
Ask HN: Is Berlin (or Germany) a good place to start a startup in Europe?
18 points by mgliwka 68 days ago | hide | past | web | favorite | 14 comments



Usually, I'd have said yes.

The local startup community is great. There's certainly not as much venture capital available as in Silicon Valley but first not every startup needs extensive funding and secondly the availability of VC has been improving in recent years, too.

There's more red tape involved in setting up a company than there is in other countries but you only have to go through that once.

However, GDPR currently creates a lot of uncertainty. Unfortunately, we'll have to wait how that works out in the end. Maybe, everyone involved will act reasonably and it'll prove to have been a storm in a teacup but it's really too soon to tell.

So, on that grounds I can't really recommend Europe and Germany in particular right now.


GDPR isn't new, these laws have been in place since May 2016. Overall, they're pretty common sense, actually: don't share people's personal details without their permission, make sure your infrastructure is secure, have a plan that lists all parties that you share data with and have a protocol in case of a data breach.

If you have an ethically sound company and comply with these rules you have nothing to worry about.

Berlin is awesome, I'd choose it over Amsterdam (I'm Dutch) because of the insane rents. I've also heard good stories about Krakow and Bucharest.


I agree that the intent behind that regulation is good and yes, as an ethically sound company you shouldn't have to worry about it.

However, the implementation of these laws so far has been less than stellar, to say the least. There's a lot of room for interpretation and some rules are left vague - sometimes intentionally in order to avoid having to constantly update the regulation. Given the huge, potentially ruinous fines associated with GDPR you'd want laws to be as explicit and as specific as possible in order to avoid ambiguity and profiteering.

What's more, different European countries have implemented GDPR differently - or not at all. Privacy (or the lack thereof) - in the EU of all places - shouldn't be a competitive advantage or a bargaining chip.


> However, GDPR currently creates a lot of uncertainty.

How is it creating any uncertainty? Just make sure you use opt-in and be ready to scrap the data.

Even if you are doing business in U.S. and want to have EU clients you have to take GDPR into account. How is it related to Germany or Berlin?


The new regulation isn't just about opt-in and data deletion. Those are just the aspects consumers typically will be aware of. In addition to that a company also needs to:

- have data processing agreements with every 3rd party that processes personal data for them

- document technical and organisational measures with regard to privacy and security

- have records of data processing activities

While these are useful - GDPR or not - many aspects of those are left intentionally vague. In the past few months, data protection experts and company owners alike have been racking their brains as to how to implement the details entailed by those requirements.

A government spokesperson only just recently has been quoted that although there's "some uncertainty" regarding the implementation of the new regulation the government doesn't intend to do anything about that right now but rather wants to wait and see how civil servants and courts are going to interpret the new law. In my opinion, that's a recipe for disaster waiting to happen.

On top of that, Germany is particularly notorious for its 'liberal' regulation regarding cease-and-desist letters. There's a whole industry of shady lawyers that make a living by sending these out en masse to small companies that supposedly don't comply with regulations such as the equally notorious legal notice requirement for websites. They're perhaps already waiting with bated breath because GDPR opens a whole new 'market' for them.

Many of my fellow entrepreneurs are worried about this right now and these are people who are both well-prepared and normally not easily spooked by bureaucracy.


First, these regulations aren't new and if you've been remotely compliant with European privacy laws in the last decade, these aren't a massive step forward. With regards to these specific ideas you cite, any company that gives an iota of a shit about its users already does all of these things. I can't even call this a security fundamental, it's just basic respect.

It's odd to me that, in the lead up to GDPR, so many people are making these exact same FUD-like arguments on the exact same kinds of questions, worded in remarkably similar English (down to agreeing that the law could be a good thing), on a variety of social sites. It makes me wonder if I'm watching a foreign power trying to undermine the EU.

> In the past few months, data protection experts and company owners alike have been racking their brains as to how to implement the details entailed by those requirements.

If this is true, they're not experts. Or rather, they're the kinds of experts who say they're experts on Twitter. Nothing in GDPR is particularly complicated.


The problem with these laws is that while they're mainly targeted at large corporations - because frankly that's all regulators and politicians usually know or care about - small companies bear the brunt of complying with them right now.

Many of the questions the owners of these companies are facing right now haven't even been considered by legislative bodies. These are questions such as:

- How will I be able to operate my small company website in the future in a legally compliant manner? Some companies even consider turning off their websites completely and - of all things - only use a Facebook page in the future. Hence, ironically we might very will see GDPR actually benefitting companies like Facebook at the detriment of small companies that consequently won't have complete ownership of their content anymore.

- How exactly does a privacy policy have to be worded so I don't get sued on day 1 (in some EU countries this is a very real problem already with legal notice requirements for websites)?

- In which way will I still be able to store data for contacting my existing B2B customers (such as email addresses and phone numbers)?

- Will I still be able to use anti-spam and security plugins for my website? These tools might store users' IP addresses, which in some jurisdictions are considered personal data.

Dismissing these very real concerns by very real people as FUD or even suggesting a foreign power might be trying to undermine the EU is nothing but a preposterous conspiracy theory.


> The problem with these laws is that while they're mainly targeted at large corporations - because frankly that's all regulators and politicians usually know or care about - small companies bear the brunt of complying with them right now.

This isn't much of an argument - every single law that impacts a business falls into this category. Tax law is the classic example. If you happen to own a huge company, you'll have more resources with which to comply with regulation. The tradeoff is that as your company size increases, the chances that a bad actor is doing something fucked up that your compliance team won't find about until too late increase. That's just how business works.

Nor do I find small business owners struggling to remain compliant a particularly compelling argument. I'm a Canadian small business owner and yet I've managed to educate myself about GDPR. Hell, GDPR has been around in draft state for six years and there are tons of very well written resources available. The process of learning GDPR has been quite pleasant.

And then, I add in the facts that GDPR isn't even a particularly big change and that again, these are all fundamental ways to protect your clients, I have even more trouble feeling the pain.

Specifically consider these concerns that you cited. When I copy/paste your questions into Google, add an occurrence of "GDPR" and search, I get solid answers on the first page.


> - How will I be able to operate my small company website in the future in a legally compliant manner?

What exactly worries you here? If you could be more specific I'd be happy to try and answer your questions.

> - How exactly does a privacy policy have to be worded

The GDPR provides a list with the information that you need to provide to a subject when processing his/her data (also look at the other articles of the same section):

https://gdpr.dpkit.com/gdpr/chapter-iii/section-2/article-13...

I think a simple text with clearly stated information is sufficient and I don't think that you'll get sued if you ensure that the information is accurate and complete, which shouldn't be too difficult for small websites.

> - In which way will I still be able to store data for contacting my existing B2B customers (such as email addresses and phone numbers)?

In a nutshell, you will need either their consent or a legitimate interest (as you do now as well): https://gdpr.dpkit.com/gdpr/chapter-ii/article-6.html

Communicating with your existing business partners (e.g. to inform them about new products or ask them for feedback) is a legitimate interest so you can still contact them without asking for permission first. They can tell you to not contact them again though (which isn't really new either).

> - Will I still be able to use anti-spam and security plugins for my website?

Yes, spam protection and security are legitimate interests and even required to comply with the GDPR (reasonable technical and organizational measures), so you are allowed to process and store IP addresses for that as long as the processing is commensurate (i.e. you should store the addresses for a limited amount of time and delete them as soon as you don't need them anymore). Here the GDPR is very similar to the BDSG as well in the sense that it allows processing of personal data if there's a legitimate interest, and ensuring the security and integrity of your service is a highly legitimate interest that can override many of the normal restrictions imposed by the legislation.

Hope this clarifies some things, would be happy to hear about your other concerns / questions as well!


These questions aren't my own but rather examples of questions small business owners have been routinely - and legitimately - asking in discussion forums for months now. For the most part, these aren't tech-savvy people but entrepreneurs who maybe run a brick-and-mortar shop or a food truck business.

If GDPR was that simple and clear these questions shouldn't even come up. There are a lot of people like yourself who try to help others but there's only so much we can do.

I agree with everything you said on the matter. However, even lawyers, data protection experts as well as officials and high-ranking civil servants seem to disagree on at least some of these points, which doesn't really help with reassuring people.


No. Germany sucks for tech startups, because we have Merkel, she doesn't know anything about tech or even "the Internet". That means you can expect the government to put a lot of hurdles into anything you are trying to do.


Ha ha, at least she has a scientific/maths background rather than the majority of politicians in UK/US who are lawyers, "economists", social scientists or in some cases celebrities.


Yea, it's great. We run adtech entirely out of Germany, we've found lots of talented folks but we operate in a village, not Berlin.

But then also, we just need AWS, payment processing (stripe) and a bank account.

24/7 power, high-speed internet, hardware.

Every service is dirt cheap compared to the US.

Hookers are beautiful.


Go where your customers are. Tax is comparable to most of western europe, salaries are higher than Poland, but way lower than SV.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: