How to allow a group to change user passwords?

Quoting the OpenLDAP admin guide:

The order of evaluation of access directives makes their placement in the configuration file important. If one access directive is more specific than another in terms of the entries it selects, it should appear first in the config file. Similarly, if one selector is more specific than another it should come first in the access directive.

To cut long story short, try the following:

access to attrs=userPassword
    by dn.base="cn=admin,dc=my-company,dc=de" write
    by set="[cn=sysadm,ou=Group,dc=my-company,dc=de]/memberUid & user/uid" write
    by self write
    by anonymous auth
    by * none

# Allow everybody adding and changing Contacts
access to dn.subtree="ou=Contacts,dc=my-company,dc=de"
    by dn.base="cn=admin,dc=my-company,dc=de" write
    by set="[cn=sysadm,ou=Group,dc=my-company,dc=de]/memberUid & user/uid" write
    by set="[cn=users,ou=Group,dc=my-company,dc=de]/memberUid & user/uid" write 
    by * read

access to *
    by dn.base="cn=admin,dc=my-company,dc=de" write
    by set="[cn=sysadm,ou=Group,dc=my-company,dc=de]/memberUid & user/uid" write
    by self write
    by * read

BTW, do you really want to grant all users access to all attributes of their own object ('access to * ... by self write')? As you're limiting write access to the userPassword attribute only in the first ACL, I'd say that it's not what you wanted.

What happens if you do this?

access to dn.subtree"[cn=users,ou=Group,dc=my-company,dc=de]"
by self write
by dn.base="cn=admin,dc=my-company,dc=de" write
by set="[cn=sysadm,ou=Group,dc=my-company,dc=de]/memberUid & user/uid" write
by * read

IIRC slapd uses the first matching rule. Since the first block matches userPassword but doesn't allow sysadmins to modify, they aren't allowed to modify.