New developments in data protection: A look at the coalition agreement

Classic data protection issues have found their way into the coalition agreement between the CDU/CSU and SPD. Find out everything you need to know about the government's plans here.

The coalition agreement between the CDU/CSU and SPD for the 21st legislative period also addresses the subject of data protection. The new government is focusing primarily on reducing bureaucracy. This article provides an overview.

Goalof the coalition government: to reduce bureaucracy in data protection

The government intends to make data protection less bureaucratic and has a number of organisational measures in mind to achieve this. The coalition plans to replace complex data protection consent solutions with objection solutions as a measure to reduce bureaucracy, at least for government services. Approaches to this should take into account the fundamental right to informational self-determination and be implemented at the level of European law. Above all, however, the coalition agreement focuses on reforms to data protection supervision.

Centralisation of data protection supervision for the private sector at the Federal Commissioner for Data Protection and Freedom of Information

Supervision of the private sector in the field of data protection is set to be reformed. Germany is the only country in the EU where data protection supervision for the private sector is not centralised under a single supervisory authority, but is the responsibility of the 17 relevant state data protection authorities. In the interests of the economy, supervision is to be centralised at the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

This planned reform of data protection supervision is fundamental: It is hoped that it will simplify bureaucratic procedures and standardise the interpretation and enforcement of the European General Data Protection Regulation (GDPR).

• The current federal structure of the supervisory authorities gives rise to differing views and decision-making practices among supervisory authorities in some cases. This has sometimes led to legal uncertainty in the application GDPR's provisions for commercial companies with several locations in Germany. Centralising supervision at the BfDI will ensure greater legal clarity.
• The same applies to the fines or conditions imposed by the individual state authorities, which have sometimes diverged.
• It would also be beneficial to introduce a single reporting channel for data breaches.

Some commercial companies feel connected to their local supervisory authority and are keen to take advantage of the advisory services and personal contacts available there, choosing to discuss fundamental data protection issues with their "own" supervisory authority. It remains to be seen whether the BfDI, as the central supervisory authority, will be able to fulfil these tasks.

The goal set by the EU of creating an single market for data has also found its way into the coalition agreement and is underpinned by a planned renaming of the BfDI. The new name will be: "Federal Commissioner for Data Utilisation, Data Protection and Freedom of Information". 

The BfDI has already announced in a press release dated 11 April 2025 that it is available for the intended projects and is committed to promoting innovation-friendly and effective data protection.

Enshrining of the Data Protection Conference in law

The coalition agreement calls for the Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) to be enshrined in the Federal Data Protection Act (BDSG) in order to develop common standards. The DSK is the coordinating body of the federal and state data protection supervisory authorities. Its function is to safeguard and protect fundamental data protection rights, bring about uniform application of European and national data protection law and collectively advocate for its further development. It does this by issuing resolutions, decisions, guidelines, standardisation, statements, press releases and specifications.

However, by centralising the supervisory competences for the private sector at the BfDI, the role of the DSK will be reduced to coordinating the supervision of the public sector.

Concessions for SMEs, volunteers and low-risk processing – impetus for reforming the GDPR?

The coalition intends to use the existing leeway in the GDPR to ensure consistency, uniform interpretation and simplicity for small and medium-sized enterprises (SMEs), employees and volunteers when it comes to data protection. At European level, the aim is to ensure that non-commercial activities (e.g. in associations), SMEs and low-risk data processing (e.g. customer lists of tradespeople) are excluded from the scope of the GDPR.

The fact is that implementing the (formal) requirements of the GDPR poses difficulties for SMEs, volunteers and non-commercial activities. This is often due to a lack of legal and/or financial resources.

Under current law, the coalition government's room for manoeuvre with regard to this project is likely to be limited: The GDPR is mandatory law; exceptions based on member state regulations are only provided for within the framework of the "escape clauses". The only concession for SMEs with regard to the formal obligations is provided for in Article 30 (5) GDPR with regard to the record of processing activities: The obligation to maintain a record of processing activities does not apply to companies or organisations with fewer than 250 employees. However, this exception does not apply if processing takes place more than just occasionally or if special categories of personal data are processed in accordance with Article 9 (1) GDPR. The latter exception means that the craft businesses mentioned as examples have already found a "way out" of the obligation to maintain a record of processing, but not of the other requirements of the GDPR.

The discussion process on reforming the GDPR has already begun at European level.

Further data protection measures in the coalition agreement

The black-red coalition government attaches great importance to data protection in the coalition agreement, but also emphasises that data protection regulations must enable progress in digitalisation, research and innovation. For the health care sector, for example, the new government would like to review the existing data protection regulations to ensure that they are absolutely necessary. In the coalition agreement, the CDU/CSU and SPD have also announced that they will introduce a three-month storage obligation for IP addresses and port numbers in order to assign them to the subscriber. The coalition agreement does not contain any further information on this. A similar project failed in the previous legislative period.

We will keep you up to date in our blog series on the coalition agreement between the CDU/CSU and SPD with the latest articles on this topic. You can subscribe to this blog series via the RSS feed to be informed about new posts.