Germany’s Data Protection Conference, the coordinating body of the country’s federal and state data protection authorities, has adopted a position paper at its 111th session setting out ten proposals to modernise how data protection is supervised and enforced. The headline proposal is the one worth paying attention to regardless of where in Europe your organisation operates: shifting a meaningful share of GDPR compliance responsibility away from the businesses deploying standard IT products and onto the manufacturers and providers who build them.
The core idea: privacy-by-design as a vendor obligation, not a deployer one
Under the DSK’s proposal, manufacturers and providers of standard IT products would be made responsible for embedding privacy features at the design stage and would issue GDPR compliance statements that downstream businesses could rely on, easing the accountability burden on the organisations that simply deploy the software. The paper also floats exploring product certifications built on GDPR compliance schemes, giving buyers a straightforward signal instead of requiring every deploying organisation to independently assess a vendor’s privacy engineering.
This follows a model Brussels has already established elsewhere. The Cyber Resilience Act puts security-by-design obligations on hardware and software manufacturers rather than leaving it entirely to whoever installs the product. The AI Act does something similar for high-risk AI systems. Germany’s position paper argues privacy should follow the same logic: the entity best positioned to build data protection in from the start is the one that should carry primary responsibility for having done so.
Other proposals worth tracking
The position paper is broader than the manufacturer liability point. It calls for a statutory basis for the DSK itself within the Federal Data Protection Act, binding majority decisions of the DSK for the non-public sector, a single point of contact for companies operating across multiple German states, and mutual recognition of decisions made by one supervisory authority in matters spanning several Länder. It also pushes for stronger online protections for children and easier pathways for public-interest research. On AI specifically, the DSK wants reforms that go further than the Commission’s current proposals, including new legal bases covering training data scraping, re-use of existing datasets, and generative AI systems, plus stronger obligations to inform individuals when their data is processed by AI.
What this could mean if it moves toward EU level
None of this is law yet, a DSK position paper is an advocacy document from Germany’s data protection authorities, not binding legislation. But Germany’s regulatory positions on GDPR reform have a track record of shaping the broader EU Digital Omnibus conversation already under way in Brussels, and German industry and consumer groups tend to be influential voices in that process. Organisations that build or resell standard IT products into the German or wider EU market should watch this closely: a shift toward vendor-level compliance statements and certifications would change how software and hardware get positioned and sold, and could eventually reduce the compliance burden on deploying organisations that currently have to independently verify a product’s privacy posture from scratch.
If your organisation needs help navigating current GDPR obligations while regulatory reform proposals like this one work their way through Brussels, or wants a data protection assessment that reflects where compliance responsibility is actually heading, contact Excello Digital. We help European organisations stay ahead of privacy regulation rather than reacting to it after the fact.
