Germany Scraps National Data Protection Officer Rule, but EU Law Keeps Pressure on Firms
Veröffentlicht: 19.07.2026 um 06:43 Uhr, Redaktion boerse-global.de
A pair of German court rulings this summer has sharpened the boundaries of data protection law just as Berlin moves to eliminate one of its most long-standing national requirements. The European Court of Justice decided on 14 July 2026 (case C-474/24) that publishing sanctions against professional athletes is permissible under certain conditions, provided a case-by-case balancing of interests occurs. Such data, the ECJ clarified, is neither health information nor data on criminal convictions. Meanwhile, on 18 June 2026, the Frankfurt Higher Regional Court weighed in on deletion deadlines for payment-default data held by credit agencies. The judgments underscore that data protection litigation remains a legal minefield regardless of who oversees compliance.
That oversight role is now at the center of a planned regulatory shift. The German government has tabled a bill, first circulated in early July 2026, to abolish the national obligation for companies to appoint a data protection officer. Under the current Federal Data Protection Act (BDSG), any business with at least 20 employees that processes personal data automatically must name an officer. That threshold would disappear entirely. The move, part of the coalition programme agreed on 2 July 2026, is intended to reduce bureaucracy and relieve economic burdens. Yet the existing rules remain fully in force until the legislation is enacted.
Even if the national requirement vanishes, the EU’s General Data Protection Regulation (GDPR) continues to apply independently. Article 37 of the GDPR already compels firms to designate a data protection officer in specific scenarios, such as large-scale systematic monitoring or extensive processing of sensitive data. The penalties for non-compliance are severe: fines of up to €20 million or 4% of worldwide annual turnover. Legal experts therefore caution against any hasty dismantling of internal oversight structures.
The reform debate arrives at a moment when companies are racing to deploy artificial intelligence. A fresh Bitkom survey finds that 69% of German businesses view data protection rules as an obstacle to training AI models, and 59% say the regulations have already caused projects to fail. At the same time, the EU’s AI Act, in force since February 2025, imposes mandatory training requirements. Roughly one-third of all user inputs into AI tools now contain sensitive data, according to estimates, making internal policies a critical safeguard. For smaller organisations, external data protection services are already available for monthly fees in the double digits—an option that may prove prudent even without a statutory mandate.
Disclaimer zu unseren Artikeln: Keine Anlageberatung, keine Kauf oder Verkaufsempfehlung. Angaben zu Kursen, Unternehmen und Märkten ohne Gewähr; Änderungen jederzeit möglich. Börsengeschäfte können zu hohen Verlusten führen. Unsere Beiträge werden ganz oder teilweise automatisiert mit Unterstützung von AI erstellt und geprüft.
