German Data Protection Conference proposes adapting the GDPR for the AI Era

The aim of the German supervisory authorities is for the GDPR to ensure even more effective protection of fundamental rights through targeted adjustments, in line with the challenges posed by technological developments. 

The DSK stands for the ‘Conference of Independent Data Protection Supervisory Authorities of the Federal Government and the States’. Within this body, the 17 state data protection commissioners and the Federal Data Protection Commissioner (BfDI) coordinate their efforts to ensure the consistent application of the GDPR in Germany. Although their resolutions, guidance and other information are not legally binding, they serve as an important interpretation aid for the GDPR and provide companies with concrete guidance on how to design their processes in compliance with data protection regulations.

A key demand of the DSK is that providers and manufacturers should be included among those subject to data protection obligations. To date, the GDPR has been addressed exclusively at the ‘users’ of software, even though key decisions relating to data protection – such as ‘data protection by design and by default’ – are in fact already made by the manufacturer, supplier, or importer. 

So far, however, only users of hardware and software have been held accountable under data protection law. Drawing on recent legislation such as the Cyber Resilience Act (CRA) and the AI Act, there is therefore a call to shift data protection obligations upstream. This is intended to hold manufacturers more accountable, in particular through standardized information for records of processing activities and data protection impact assessments. This could significantly ease the burden on small and medium-sized enterprises in particular and increase legal certainty.

With regard to the processing of personal data by AI systems, the DSK sees a need for action that goes beyond previous proposals at EU level. In particular, it calls for specific legal bases for the development, training, and operation of AI systems. Furthermore, data subjects’ rights, such as the right to information and the right of access, should be strengthened, with preference given to systems featuring ‘built-in safeguards.’ If the implementation of these rights is technically or economically disproportionate, the DSK proposes functionally equivalent or compensatory safeguards. 

Regarding the right of access under Article 15 GDPR, the DSK does not recommend limiting its scope of application but emphasizes the need for a more precise definition of its scope. Specifically, it suggests extending the exception regarding the protection of the rights and freedoms of others (currently regulated in Article 15(4) GDPR only regarding data copies) to cover the entire right of access. This would allow companies to restrict access in justified individual cases where the interests of third parties are at risk.

In addition, a concrete proposal to reduce bureaucracy is put forward: Specifically, the requirement to notify supervisory authorities of the appointment of data protection officers is to be abolished, as it offers no discernible added value in practice. Furthermore, the authorities are calling for greater discretion in handling complaints. Considering rising case numbers, they should be able to prioritize the use of resources more effectively.

With these proposals, the German supervisory authorities are taking a clear stance: The GDPR is a successful model but requires operational refinement in light of technological progress. For international companies, this could mean a reduction in administrative burdens when using IT products in future, provided the European Commission follows Germany’s lead on manufacturer liability. The resolution underscores the trend towards risk-based and manufacturer-centered regulation in the European digital single market.​