Winter 2024/25 policy letter
Dear readers,
What hasn’t already been written about the break-up of the traffic light coalition: breach of trust, leaked position papers and lots of smashed political china. Even the word D-Day has been mentioned. Lovers of great dramas by Sophocles or Shakespeare will certainly enjoy analysing the trials and tribulations of the end of the traffic light. I don’t want to take part in that. And we data protection officers are jokingly said to like dry subjects like the GDPR. However, a quote from the great Sophocles fits quite well at this point: ‘Straight failure is higher than a crooked victory.’
Our economy must grow again so that we can maintain our level of prosperity and employment. An important basis for this is that companies can once again concentrate on their core competences, on innovation and trade – and are not held back by excessive bureaucracy. As qualified data protection officers, we have long been making a valuable contribution to avoiding bureaucracy and want to work with you to launch a genuine bureaucracy reduction campaign.
As advocates of sensible digitalisation, we are convinced that it is crucial for companies and public bodies in Germany to tackle the challenges of data processing in a proactive and future-oriented manner. To do this, we must also rethink data protection – and above all in a risk-oriented manner. This includes proper adjustments to the Federal Data Protection Act, a practical review of the General Data Protection Regulation, including the elimination of bureaucratic burdens caused by multiple efforts and unnecessary regulations. I would like to encourage those involved, who rightly point out the sometimes divergent interpretation of data protection law in the individual federal states, to finally get a sustainable structure for the Data Protection Conference (DSK) off the ground. Companies and citizens alike need clarity and simplification in the application of legal requirements.
In this context, we have also taken note of the recently published draft bill for an Employee Data Protection Act: A strong data protection culture in companies is an important asset for the protection of employees. This draft provides important impetus and should be further developed in the next legislative period. We are in favour of focusing on the concerns of small and medium-sized enterprises: We need more proposals such as simplifying the use of data in the application process with clear deletion periods. Other approaches, such as the inclusion of the works council in the appointment of the data protection officer, are proposals from the moth box that neither make work easier nor increase the level of data protection and only lead company management into a further spiral of bureaucracy. We believe that an independent law on the handling of employee data makes sense, but the current draft still needs time. We should use the new legislative period for joint further development. The draft provides a good basis for this.
I would like to take this opportunity to highlight two other important topics in this letter that we are particularly proud of: The BvD Autumn Conference 2024 addressed current European data protection issues and digital regulations with a focus on practical solutions and exchanges between industry and supervisory authorities. We at the BvD also ensure that artificial intelligence and data protection are dovetailed: the new ‘AI-qualified DPO’ training course qualifies data protection officers to support AI projects in a secure and data protection-compliant manner, providing companies with additional expertise in the field of artificial intelligence. We hope you enjoy reading this report and look forward to your feedback.
We wish you and your organisation all the best for the exciting year 2025!
Our core theses for a new departure in data protection law
NEW LEGISLATION, NEW HAPPINESS
With the elections and a newly elected Bundestag, opportunities are opening up in the new year to further develop data protection in Germany in a future-oriented and practical manner. The Professional Association of Data Protection Officers (BvD) sees modern data protection law not only as a protection of informational self-determination, but also as a decisive factor for economic strength and social trust. In order to leverage this potential, we offer our expertise and experience in shaping the future.
A new departure in data protection law offers the opportunity to dovetail economic innovation and the protection of personal rights more closely. A practice-oriented debureaucratization of the GDPR is central to this: If a small startup has to meet the same documentation requirements as a multinational corporation, unnecessary hurdles are created. A consistent risk-based design will relieve the burden on companies and at the same time create trust by improving transparency.
“BvD members” repeatedly report problematic regulations and obligations that neither increase the level of data protection nor ensure greater process security. In some cases, this results in a multiple documentation effort from just one processing operation. The practical design of documentation requirements and the greater involvement of data protection officers in these activities – which were previously the responsibility of the controller – can make things much easier and significantly reduce costs.
The reform of the Federal Data Protection Act (BDSG) is also crucial. The established model of the company data protection officer has proven its worth. It ensures clear responsibilities and relieves the management of a considerable amount of bureaucratic work, which would fall back on the management if the obligation to appoint an officer were abolished. Its abolition would be a disservice that would create risks and additional work for companies and authorities. At the same time, we advocate clear regulations that do not lead to new interpretative fantasies.
The clarification of responsibilities in the area of AI and. employee data is also of particular importance. An Employee Data Protection Act could create legal certainty, for example on the question of whether and how AI-supported applicant analyses are permissible. In the necessary German implementation law for the AI Act, supervision should be transferred to the state data protection officers (LfDI), who already have the relevant experience and are already involved in these processes as a result of the GDPR, instead of creating a completely new position and new staff requirements. The experts in this area are rare and should be used productively and not withdrawn from the economy. Better integration of the Data Protection Conference (DSK) could also contribute to uniform standards here.
Furthermore, the responsibility for data protection-compliant AI systems must not lie solely with the users. Manufacturers must be legally obliged to provide transparent and data-fair systems – in line with the GDPR principle of privacy by design. This would allow companies that use AI to optimize their production processes to operate without legal risks, while at the same time creating considerable trust in the systems – because that is the great challenge of this technology.
These measures pave the way for future-proof data protection that enables innovation and strengthens trust in the digital transformation. Legally compliant use is a key component for economic strength and the protection of informational self-determination.
Find out more about our Data Protection Agenda 2025 here!
Practical help with difficult questions about artificial intelligence and data protection
In September 2024, the BvD launched a specialized training course to become an “AI-qualified DPO”, which comprehensively prepares data protection officers for the challenges and requirements associated with artificial intelligence. The training is particularly aimed at businesses, as DPOs can act as a central point of contact for AI-specific data protection issues and support companies in legal and ethical matters relating to data processing with AI.
The “AI-qualified DPO (BvD)” training course is a special qualification for company and official data protection officers and other persons working in data protection. The BvD provides operational and official data protection officers as well as other persons working in data protection with the necessary knowledge.
The training addresses the increasing interlinking of AI and data protection, as AI systems often process large amounts of personal data. DPOs with AI expertise are already in demand as experts to guide companies safely through the complex web of data protection and AI regulations. By teaching DPOs the technical and legal framework conditions as well as practical use cases, they can make a significant contribution to ensuring the success of AI projects.
Further details on the training course are available here.
A “class reunion of data protection” and the political demand for recognition of the work of the data protection officer
REVIEW OF THE BVD FALL CONFERENCE
This year’s BvD autumn conference in Stuttgart brought together around 250 experts from the fields of data protection, digitalization and European legislation. Under the motto “Business meets supervision”, the event provided a platform for an intensive exchange on the increasing complexity of data protection regulation in Europe. Prof. Dr. Tobias O. Keber, State Commissioner for Data Protection and Freedom of Information Baden-Württemberg, called the conference the “data protection class reunion” – an apt description in view of the experts who met the challenges and opportunities of the EU digitization trend with new perspectives.
Michael Will, President of the Bavarian State Office for Data Protection Supervision, also emphasized the role of data protection officers, who are increasingly in demand to support new technologies. He called on the participants to actively face up to the “climate change” in data protection law and to accompany digitalization responsibly. At the authorities’ day, which traditionally follows the autumn conference and presents the views of official data protection officers, the state data protection officers from Baden-Württemberg and Bavaria appealed to authorities and local authorities to prepare in good time for the AI regulation that will apply in parts from February 2025. “AI expertise is important, and we need to position ourselves very well and very early on,” said Keber, the State Commissioner for Data Protection and Freedom of Information for Baden-Württemberg, in his keynote speech. When the AI Regulation is applicable, administrations must be prepared.
EDPS Wojciech Wiewiórowski: Demands for a stronger role for DPOs
In a powerful video message, the European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, highlighted the key role of data protection officers and emphasized the need to strengthen their role politically and institutionally. The EDPS made it clear that data protection officers (DPOs) within the EU institutions must not only act in an advisory capacity, but above all independently, in order to ensure the effective implementation of data protection requirements.
Wiewiórowski referred to four key challenges for DPOs: insufficient resources, the need for independence, conflicts of interest due to additional tasks and clear involvement in data-related decision-making processes. According to Wiewiórowski, these barriers make it difficult to implement comprehensive data protection and could only be overcome with political support. He emphasized that, in view of the increasingly complex data landscape, DPOs must be given full access to resources and support in order to carry out their tasks – an issue that is also often lamented by national supervisory authorities.
In his speech, Wiewiórowski emphasized the indispensability of data protection officers as protective bodies within institutions and as key points of contact for the supervisory authorities. The demand for recognition and support of DPOs was also reflected in the keynotes of other speakers. Thomas Zerdick, Head of the “Supervision and Enforcement” Unit at the European Data Protection Board (EDPB), also shed light on the role of the EDPB and the need for action in the European data protection landscape.
Innovation and data protection: a strong partnership
Another central point of the conference was the question of how innovation and data protection can grow in harmony. Björn Beck, head of the innovation laboratory of the Baden-Württemberg state government, spoke out against the misconception that data protection is necessarily a contradiction to technological innovation. He emphasized the social value of data protection and showed how data protection officers can meaningfully support the development and use of artificial intelligence and other technologies. “Innovation and data protection must not be a field of tension, they must go hand in hand,” explained Beck, highlighting the advisory role of data protection officers in Baden-Württemberg as trend-setting. Wiewiórowski also expressly warned against data protection and informational self-determination being watered down or even discarded in the wake of the “AI hype”.
Efficiency and pragmatism of the supervisory authorities
The increasing complexity of data protection regulation and the call for a reduction in bureaucracy were also key topics that Thomas Spaeing, Chairman of the BvD, addressed in his speech. He emphasized the pragmatic and solution-oriented work of the German data protection supervisory authorities, for example the opt-out solution for the transmission of postal addresses, which reduces bureaucracy for small companies in particular. Spaeing criticized the politically motivated discussion about a supposed increase in the efficiency of the supervisory authorities as misguided and demanded that the debate about reducing bureaucracy should not be conducted at the expense of citizens’ protection rights.
The conference concluded with the BvD Public Authorities Day, which offered a wide-ranging program especially for data protection officers of public institutions. Prof. Dr. Thomas Petri, Bavarian State Commissioner for Data Protection, Prof. Dr. Tobias O. Keber and Nicole Matthöfer, President of the Baden-Württemberg Cybersecurity Agency, presented perspectives on the challenges of public data protection and digital security policy.
The BvD Autumn Conference in Stuttgart made it impressively clear that data protection officers are indispensable players in a digital society that is to be shaped in accordance with fundamental rights. The words of Wojciech Wiewiórowski resonate: Data protection as a protective right must be recognized politically, clearly delineated legally and adequately funded in order to meet the challenges of the future.
A detailed summary of the event can be found here.
