I've heard of local GDPR complaints and enforcement actions (no fines yet, in administrative proceedings) against various state agencies, municipalities and also hospitals, so it does apply to state institutions at least to a certain extent. They have it a bit easier with the reasons for processing, as usually there's an existing law that mandates (and thus allows) the data processing they do, so they usually don't need consent, but the other requirements should apply.
Why wouldn't GDPR apply to german KdöR? I'm not aware of any exemptions in GDPR that could apply to them; governments can make specific local exceptions for national security, defense, judicial process, etc needs (https://gdpr-info.eu/art-23-gdpr/) but Germany shouldn't be able to simply exempt all their KdöR.
One thing is that in some jurisdictions public institutions can't be required to pay fines to the regulator (because transfering money from one gov't pocket to another doesn't make that much sense), however, you can still get an administrative ruling forcing them to change their policies, and if your rights have been violated, then you're entitled to compensation, the "can't be fined" only applies to stuff they'd owe the regulator, not regarding harmed individuals.
Why wouldn't GDPR apply to german KdöR? I'm not aware of any exemptions in GDPR that could apply to them; governments can make specific local exceptions for national security, defense, judicial process, etc needs (https://gdpr-info.eu/art-23-gdpr/) but Germany shouldn't be able to simply exempt all their KdöR.
One thing is that in some jurisdictions public institutions can't be required to pay fines to the regulator (because transfering money from one gov't pocket to another doesn't make that much sense), however, you can still get an administrative ruling forcing them to change their policies, and if your rights have been violated, then you're entitled to compensation, the "can't be fined" only applies to stuff they'd owe the regulator, not regarding harmed individuals.