Germany Proposes Sweeping GDPR Reform, Shifting Responsibility to IT Product Manufacturers

German Government Unveils GDPR Reform Proposals

The German Federal Government has put forward a comprehensive set of proposals aimed at reforming the General Data Protection Regulation (GDPR), with a key focus on reallocating data protection responsibilities. These proposed amendments, detailed in the Federal Modernization Agenda published on December 4, 2025, and a separate proposal submitted to the European Commission on October 23, 2025, seek to shift the burden of compliance from users to the manufacturers and providers of standard IT products.

This initiative is strongly supported by the German Data Protection Conference (DSK), the body comprising federal and state data protection authorities, which adopted a resolution endorsing this approach. The DSK's resolution builds upon recommendations it first made in its 2019 evaluation of the GDPR.

Key Aspects of the Responsibility Shift

The core of Germany's reform proposal involves extending the scope of responsibility, particularly under Article 25 GDPR ('Data Protection by Design and by Default'). Currently, while these obligations are directed at manufacturers, importers, and suppliers, the de facto subject of data protection obligations often remains the data controller (user). The proposed changes aim to rectify this by making manufacturers and providers directly responsible for embedding privacy features at the design stage of their products.

The model for this shift is inspired by existing EU legislation such as the Cyber Resilience Act (CRA) and the AI Act. Key measures include:

• Manufacturers and providers would be required to issue GDPR compliance statements, thereby easing accountability for the end-users.
• The exploration of product certifications based on GDPR schemes is also suggested.
• Obligations for privacy-friendly default settings would extend to processors, not just controllers.

A spokesperson for the Federal Ministry of the Interior confirmed that the position paper outlining these proposals has been sent to Brussels, indicating Germany's commitment to incorporating these changes into the EU Commission's upcoming legislative process on the 'Digital Omnibus'.

Motivation and Broader Reform Goals

The primary motivation behind these reforms is to enable organizations to deploy standard IT solutions more easily and in compliance with data protection laws, while simultaneously reducing administrative burdens, particularly for small and medium-sized enterprises (SMEs).

Beyond the shift in manufacturer responsibility, the German government's proposals also encompass broader goals for data protection, aiming for a framework that is 'future-ready, efficient, and innovation-friendly'. Other suggested amendments include:

• Repealing national rules concerning the appointment of data protection officers, relying solely on Article 37 GDPR.
• Clarifying that consent does not take precedence over other legal bases in Article 6 GDPR, addressing what Germany describes as 'a growing tendency in practice' by supervisory authorities and courts.
• Easing information and reporting duties through the use of digital links and proportionality exemptions.
• Extending data breach notification deadlines from 72 hours to three working days to account for weekends and public holidays.
• Strengthening the GDPR's risk-based approach, potentially exempting low-risk or non-commercial processing activities.
• Seeking legal clarity on anonymization and pseudonymization.

Centralization of Supervision

Another significant aspect of the proposed reform is the centralization of data protection supervision for the private sector under the Federal Commissioner for Data Protection and Freedom of Information (BfDI). This aims to achieve a consistent interpretation and application of data protection law and enhance efficiency in coordination among supervisory authorities, moving away from Germany's current decentralized structure.