I've heard of local GDPR complaints and enforcement actions (no fines yet, in administrative proceedings) against various state agencies, municipalities and also hospitals, so it does apply to state institutions at least to a certain extent. They have it a bit easier with the reasons for processing, as usually there's an existing law that mandates (and thus allows) the data processing they do, so they usually don't need consent, but the other requirements should apply.

Why wouldn't GDPR apply to german KdöR? I'm not aware of any exemptions in GDPR that could apply to them; governments can make specific local exceptions for national security, defense, judicial process, etc needs (https://gdpr-info.eu/art-23-gdpr/) but Germany shouldn't be able to simply exempt all their KdöR.

One thing is that in some jurisdictions public institutions can't be required to pay fines to the regulator (because transfering money from one gov't pocket to another doesn't make that much sense), however, you can still get an administrative ruling forcing them to change their policies, and if your rights have been violated, then you're entitled to compensation, the "can't be fined" only applies to stuff they'd owe the regulator, not regarding harmed individuals.

> weird, any explanation for the downvotes?

Yes, you're simply wrong. Government agencies do not have a blanket exemption from GDPR rules. There are some difference, and EU countries have some autonomy in the particulars. But as a general principle, the rules are the same: data may only be stored to fulfil a valid purpose, processing and transmission require consent, etc.

Fines don't make any sense in that regard because the government is never fined: first, because it wouldn't make much sense, as fines are payable to that very government anyway. But also because government officials are simply expected to respect court verdicts without the neccessity of fines.

If you don't trust that system you're out of luck, because it's how every single other protection you have against the government is and has been enforced since the inception of "the rule of law".

We had a mayor fined for sending out election mails to a list of subscribers to list intended for other purposes. Not exactly "big government agency" but it still counts.

The downvotes are probably because you failed to cite the laws that exempt government agencies from the GDPR.

It's fairly well cited all over the internet that the EU commission and other European institutions claim they are exempt from the GDPR, after they were found to be in breach of the legislation it created.