The Digital Omnibus shows that the question of a practical modernization of the GDPR is increasingly being discussed at a political level.
Against this background, our colleagues exchanged views with Member of the European Parliament and digital policy expert Axel Voss. The conversation focused on how European data protection law can be further developed without weakening the level of protection for data subjects—while simultaneously creating space for innovation, digitalization, and responsible data use by controllers.
As a law firm, we do not only accompany this discussion from the perspective of legal application. Based on our consulting practice, we have developed ten theses for the modernization of data protection law and are introducing them as impulses for discourse.
The goal is to constructively contribute practical experience from mandates to provide social added value.
Dialogue with decision-makers is a central part of our self-image: a sustainable further development of European data law can only succeed through an open, objective exchange between practice, politics, and society.
We are continuing this dialogue.
10 Theses on the Modernization of Data Protection Law
- Thesis: Less State – More Self-Regulation
The state-oriented system of strong supervisory authorities according to Chapters 6 and 7 of the GDPR is insufficiently effective at disproportionately high costs. From an economic perspective, a shift away from state supervision toward market-based self-regulation is required. To ensure this, proven self-regulation mechanisms must be maintained, e.g., records of processing activities including technical and organizational measures, risk assessments, data protection impact assessments, and data protection officers.
- Thesis: Risk-Oriented Tiered Model
The applicability of specific data protection law regulations (e.g., designation of a data protection officer, maintaining a record of processing activities) should not depend on company size (e.g., number of employees or turnover), but should follow a risk-based tiered model depending on the sensitivity of the business processes.
- Thesis: Prevention of Abuse of Data Subject Rights
The abusive exercise of data subject rights should be made more difficult, for example, by requiring proof of a legitimate interest, establishing cost-bearing obligations, or restricting excessive information requests by data subjects. This applies in particular to the right to a copy.
- Thesis: Restructuring of the Reporting System
The obligation to report data breaches to supervisory authorities should be limited to cases with a very high risk for the data subjects. Conversely, the obligation to notify data subjects in the event of high risks should be maintained.
- Thesis: Strengthening the Existing Contractual System
The contractual law system of data protection law (e.g., data processing agreements, joint controllership, confidentiality obligations) should be maintained and expanded, as this allows for the creation of needs-based and effective frameworks for individual cases. For example, the concept of commissioned processing could be extended to services where the service provider has its own margin of discretion, including regarding the purposes of processing. The possibilities for delegating data protection obligations within the framework of joint controllership agreements could also be expanded.
- Thesis: Higher Qualification of the DPO
Appropriate, legally defined minimum requirements should be placed on the professional and personal qualifications of data protection officers. In practice, a lack of knowledge and personal prerequisites frequently leads either to unfounded assumptions of prohibition or to professional resignation among those in charge.
Furthermore, the qualification of data protection officers promotes the quality of task performance and effective self-regulation by controllers.
- Thesis: Liability of the DPO
Abolition of privileged employee liability for independently acting data protection officers. Establishment of liability for data protection officers regarding consulting errors and failure to perform statutory duties.
- Thesis: Strengthening Self-Regulatory Instruments
The use of data protection codes of conduct and certification options should be expanded and promoted through further privileges regarding legal requirements, e.g., data subject rights as well as documentation and accountability obligations.
Introduction of an out-of-court mediation procedure with the appointment of an ombudsperson.
- Thesis: More Effective Law Enforcement
Private autonomy should be strengthened through more effective legal protection with improved judicial enforceability by extending the reversal of the burden of proof according to Art. 82 (3) GDPR to the existence of an adequate data protection management system.
- Thesis: Strengthening Competition
Mutual competition law claims between market participants due to data protection violations should be expanded by recognizing them as market-protecting.
Furthermore, data protection standards should be taken into account in public tenders.
January 30, 2026
