On December 4, 2025, the German Federal Government published its Federal Modernization Agenda, setting out a series of suggested amendments to the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz). Among the key measures, Germany seeks to shift certain responsibilities from users to manufacturers and providers of standard IT products—following the model of the Cyber Resilience Act (CRA) and the AI Act—so that organizations can deploy standard solutions more easily and in compliance with the law.

The German Data Protection Conference (Datenschutzkonferenz, DSK)—the body of federal and state data protection authorities—has adopted a resolution strongly supporting this approach. The resolution builds on recommendations the DSK first made in its 2019 evaluation of the GDPR.

Key Points of the DSK’s Resolution

  • Extend Article 25 GDPR: Although the current “Data Protection by Design and by Default” obligations are directed at manufacturers, importers, and suppliers, it is not these groups but rather controllers who are de facto subject to data protection obligations. The DSK proposes making manufacturers and providers responsible for embedding privacy features at the design stage.
  • Harmonization with EU Digital Acts: The proposal seeks to bring GDPR obligations for manufacturers and providers in line with existing EU legislation such as the CRA and the AI Act.
  • Compliance Declarations: Manufacturers and providers would issue GDPR compliance statements, easing accountability for users.
  • Certification Models: The DSK suggests exploring product certifications based on GDPR schemes.
  • Include Processors: Privacy-friendly default settings obligations would also apply to processors, not just controllers.

Other Proposed Amendments by the Federal Government

In addition to the expansion of GDPR responsibility to cover manufacturers and providers of standard IT products, and its support for the Commission’s proposed GDPR changes under the Digital Omnibus, the Federal Government proposes further amendments, including:

  • Repealing national rules on appointing data protection officers, relying solely on Article 37 GDPR.
  • Amending Section 15e(6) of the Transplantation Act by replacing the current obligation for transplant centers to obtain explicit consent prior to transmitting data to the independent trust center for pseudonymization and subsequent transfer to the transplant register with an opt-out mechanism, under which data may be transmitted unless the data subject objects.
  • Assess the implementation of the Health Data Usage Act (Gesundheitsdatennutzungsgesetz) and the Electronic Patient Record (elektronischen Patientenakte), in cooperation with the Länder, to identify additional areas where an opt-out mechanism may be appropriate, which could potentially facilitate the secondary use of health data.
  • Incorporating provisions for “regulatory sandboxes” modeled on Article 57 of the AI Act into the GDPR.
  • Establishing a new, practical rule on anonymization in the GDPR, either in Recital 26, in Article 4 GDPR, or by creating a dedicated legal basis.

The Federal Government has announced plans to reform data protection supervision for the non-public sector in Germany. The objective is to achieve a consistent interpretation and application of data protection law while enhancing efficiency in the coordination among supervisory authorities. To this end, the Federal Government is considering several measures, including consolidating competencies either at the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) or within the supervisory authorities of the federal states, for example through a concentration of responsibilities.

DSK’s Position and AI Reforms

While supporting many modernization goals, the DSK opposes, for example, abolishing company data protection officers. In addition, the DSK calls for targeted GDPR reforms for AI that go beyond the EU Commission’s proposals, including:

  • New legal bases for AI-related processing, covering both public and private actors and reflecting technical specifics—such as web scraping for training, re-use of existing datasets, embedded personal data in models, healthcare AI applications, and generative AI systems.
  • Enhanced transparency and rights, including obligations to inform individuals when their data is processed by AI and a right to request details.

*            *            *

At Covington & Burling LLP, we are closely following the proposed GDPR amendments from the European Commission and Member States. We actively engage in stakeholder discussions and contribute to position papers to help shape practical and balanced outcomes. We would be happy to assist you with any questions regarding these proposed changes and their potential impact on your business.

Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law.

Read more about Lars Lensdorf
Show more Show less
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van Quathem
Show more Show less
Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is special counsel in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is special counsel in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Read more about Anna Sophia Oberschelp de MenesesAnna Sophia's Linkedin Profile
Show more Show less