BRANDI Data Protection Law Conference

For our seventh Data Protection Law Day on April 24, 2026, Mr Denis Lehmkemper, State Data Protection Commissioner for Lower Saxony (LfD Niedersachsen), was a guest at BRANDI. As part of the event on the topic “GDPR yesterday, today and tomorrow – the need for reform and proposals for reform in data protection law”, Mr Lehmkemper, in conversation with legal experts including Dr Sebastian Meyer, Dr Jan-Peter Möhle and Dr Christoph Rempe, provided an interesting insight into the challenges and potential solutions in the field of AI and data protection, as well as into his work as State Data Protection Commissioner. In this main topic, we would like to look back at the Data Protection Law Day and provide an overview of the technical discussions and presentations.

AI and data protection – challenges and solutions

The first part of the event featured presentations on the challenges and solutions in the field of AI and data protection.

In his keynote speech, Mr Lehmkemper first provided an overview of AI regulation and then turned to the provision in Article 2 (7) of the AI Regulation, according to which the GDPR remains unaffected. Mr Lehmkemper emphasised that this seemingly innocuous provision entails far-reaching challenges for data protection law. Key challenges in the field of AI and data protection include the training of generative AI models using personal data, ensuring compliance with the GDPR principles of accuracy and fairness of output data, and the implementation of data subjects’ rights in relation to AI models.

The AI training data is sourced from the organisation’s own data sets, European data repositories, and also from web scraping. In the latter case, the controller has no knowledge of the scope and categories of personal data, the circumstances of publication, or the data subjects. Here, the limit for a permissible balancing of interests under Article 6 (1) (f) GDPR is regularly exceeded, and the legal bases for special categories of data under Article 9 (2) GDPR must be invoked. As potential solutions, Mr Lehmkemper proposed the use of synthetic or ‘mixed’ data, anonymisation, and the regulation of web scraping and data sets through the authorisation of website operators or specific legal bases.

The accuracy and fairness of AI training data is an important aspect for high-quality output. In Mr Lehmkemper’s view, the aim of AI is merely to provide linguistically meaningful answers, not factually correct ones. Demographic, political, cultural and gender biases in the training data would also be reflected in the output, which the speaker demonstrated using example prompts such as “a portrait photo of a smart mayor”. As a solution, he advocated a dual verification of results via filters and human review.

The safeguarding of data subjects’ rights – in particular the right of access and the right to erasure – suffers from a lack of knowledge regarding the training data used, the data stored in the AI model and the output data. Here, proactive and reactive measures, as well as filtering to reduce personal training data and output data, would lead to a solution.

To conclude his keynote speech, Mr Lehmkemper presented projects undertaken by his state data protection authority – including the CRAI research project to establish a real-world laboratory and a dedicated AI unit – and formulated recommendations for state legislators, the state government and those responsible. He called on the state legislature to establish a specific legal framework for AI training, whilst urging the state government to commit to AI research and to support and guide companies in the implementation of AI models. The speaker recommended that data controllers prioritise data protection-friendly and digitally sovereign AI models, take technical and organisational measures, and issue service instructions on the data protection-compliant use of AI.

Discussion: The need for reform and proposals for reform

In his presentation, Mr Lehmkemper spoke about the challenges involved in applying the GDPR to AI models and AI systems, which were revisited and explored in greater depth during the subsequent panel discussion. In this context, Dr Meyer explained what he believes to be the major misconceptions companies have regarding the use of AI. In response to the question of whether data protection had become a ‘stumbling block’, Dr Möhle provided an answer and highlighted the misunderstandings that still exist among companies regarding the GDPR. In industry, artificial intelligence is used for a wide variety of tasks, such as sorting small components, identifying wear parts in production facilities, or calculating the service life of individual components; in these cases, no processing of personal data takes place, meaning the scope of the GDPR does not apply at all. However, he identified an area of tension regarding the interface between data protection and employment law. It was noted that the exercise of data subjects’ rights following the termination of employment relationships can sometimes place a considerable burden on employers, raising questions regarding purpose limitation. Here, Dr Möhle identified a potential need for clarification de lege ferenda. Subsequently, the panellists discussed with the audience whether and how the GDPR could be reformed. It was discussed whether the high documentation burden of the GDPR – e.g. for maintaining records of processing activities – is still appropriate in today’s context. Furthermore, the question arose as to whether supervisory authorities could better support companies by, for example, publishing positive and negative lists (so-called white and blacklists) for software solutions.

Case studies on data protection law

To conclude the event, lawyers and research assistants from BRANDI presented various case studies in a series of short talks.

Compliance measures in the context of Sections 202a and 202b of the German Criminal Code (StGB), Article 32 of the GDPR and (un)authorised private use

Mr Harold Derksen led the case studies on the topic of “Compliance measures in the context of Sections 202a and 202b of the German Criminal Code (StGB), Article 32 of the GDPR and (un)authorised private use”. Following a brief overview of possible compliance measures, the reasons for effective protective measures and the criminal law risks under Sections 202a and 202b of the German Criminal Code (StGB) were explained, with reference to relevant sectors and the risk-based approach of the GDPR. Under Section 202a of the German Criminal Code (StGB), the acquisition of data by circumventing access controls – such as passwords – is a criminal offence, whilst Section 202b of the German Criminal Code (StGB) penalises the acquisition of data through the use of technical means such as DLP and TLS/SSL. Finally, Mr Derksen addressed the issue of permitted private use – where it is not the company but the employee who has the right to dispose of personal data – and the requirement for declarations of consent. What data is being accessed? Why is access necessary? Are comprehensive and valid declarations of consent in place? And who monitors the lawfulness of the respective measure? These are the questions companies should ask themselves when implementing effective compliance measures.   

Cookie Consent and Consent Management – Need for Reform and Reform Proposals

In the second presentation, Ms Johanna Schmale reported on the need for reform and proposals for reform regarding cookie consent and consent management. First, she outlined the previous and current legal situation, ranging from the opt-out solution to the fundamental requirement for active consent. The current Section 25 of the TDDDG stipulates that consent must be obtained regardless of whether personal data is involved, but also allows for certain exceptions. Furthermore, Ms Schmale explained the current practical implementation of the legal provisions and the associated issues. Although Section 25 (1) sentence 2 of the TDDDG refers to the data protection obligations regarding information and the requirements for consent, and is clarified by case law and supervisory authorities, however, there is no uniform standard for the design of consent banners and no categorisation of services (not) requiring consent, which leads to legal uncertainty and costs for online services. Data subjects tend to perceive consent banners as a nuisance. Ms Schmale then presented common design options and criticised the resulting misleading information for data subjects. For a digital omnibus, the European Commission proposes that the individual preferences of data subjects be transmitted from browsers and mobile applications to websites and services. Furthermore, the processing of personal data in and by terminal equipment should be regulated exclusively by the GDPR. A list of the purposes for which data processing is to be permitted without consent should also be established.

NIS 2 Directive and GDPR – Network and Information Security Meets Data Protection

Furthermore, Mr Habib Majuno and Ms Mira Husemann compared the requirements of the NIS 2 Directive with those of the GDPR. Following a brief introduction to the background of the NIS 2 Directive, which has been transposed into national law via the Act on the Federal Office for Information Security and on Information Security in Institutions (hereinafter: ‘BSI Act’), they discussed the protective measures to be implemented in the event of a breach, taking into account the different objectives of the NIS 2 Directive and the GDPR – the NIS 2 Directive aims to raise the level of cybersecurity in the European Union, whilst the GDPR serves to protect personal data. To protect network and information systems, Section 30 (2) of the BSI Act contains a specific catalogue of measures setting out minimum requirements for relevant organisations. In contrast, Article 32 of the GDPR sets out only illustrative measures for the protection of personal data, which must be implemented even in cases of data processing involving minimal intrusion. The risk-based approach was identified as a common feature of both regulations, which must be taken into account when planning and implementing protective measures. In practice, Mr Majuno and Ms Husemann recommended following recognised standards, such as ISO/IEC 27001 for information security management systems (ISMS), and, based on the catalogue of minimum measures in Section 30 (2) of the BSI Act, adopting a cyclical and iterative approach comprising planning, implementation, performance monitoring and optimisation for risk management. At the same time, Mr Majuno and Ms Husemann emphasised that ISO/IEC 27001 certification does not yet mean that affected companies are NIS 2-compliant or that they meet all the requirements under Section 30 of the BSI Act (see the BSI’s #nis2know information pack). Mr Majuno and Ms Husemann then presented selected aspects from the catalogue of minimum measures under Section 30 (2) BSIG and discussed, for example, how supply chain security (Section 30 (2) (4) BSIG) could be implemented and documented in practice. The similarities and differences between the responsibility of management under Section 38 (1) of the BSI Act and the data protection responsibility under the GDPR were then compared, before the speakers explained the registration and reporting obligations under Sections 32 et seq. of the BSI Act. In this context, Mr Majuno and Ms Husemann expressly emphasised the dual nature of the reporting channels; a company falling within the scope of the NIS 2 Directive would therefore, in future, potentially have to report a cybersecurity incident affecting personal data to both the BSI and the competent data protection authority (e.g. the State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia). In both cases, the notification should be made in consultation with the company’s own legal department and/or data protection officer. This also applies if the company considers it appropriate for the reporting of a ‘significant security incident’ under Section 32 of the BSI Act – unlike the reporting of a data breach under Article 33 of the GDPR – to be carried out by the information security officer rather than by the company’s data protection officer. This is because the question of materiality is not exclusively technical in nature, but also legal. Using the roles of the Information Security Officer and the Data Protection Officer as examples, the speakers went on to explain that, despite overlapping areas of responsibility, conflicts of interest could arise due to the differing scopes of protection under the NIS 2 Directive and the GDPR, particularly where enhancing network and information security requires a comprehensive analysis of personal data (e.g. from employees’ email inboxes), so that companies should ideally appoint two different individuals for the respective roles.  

Defending against requests for information – From newsletter subscriptions to liability for damages

Mr Lasse Gastrock concluded by discussing the defence against claims for information, using the recent ruling by the European Court of Justice (ECJ, decision dated 19.03.2026 – Case No. C-526/24) as example. Following a brief overview of the facts of the case, Mr Gastrock raised one of the central questions of the judgment: “Can an initial request for information ever be excessive?” The ECJ prescribes a two-stage test for assessing an abuse of rights. It must be apparent from the objective circumstances that, despite formal compliance with the conditions laid down in Article 15 of the GDPR, the objective of this provision is not being achieved. Secondly, the data subject must subjectively intend to gain an advantage from the GDPR by artificially creating the conditions for the claim. The question of whether a company can rely on publicly available information to justify a refusal was answered quite clearly by the ECJ with a “yes”. With regard to compensation, the ECJ made it clear that the necessary causal link between the infringement and the damage could be broken by conduct on the part of the data subject that caused the damage, or by the decision to transfer data with the intention of artificially creating the conditions for the claim. Mr Gastrock concluded his presentation with recommendations for action, such as proper documentation, guidance on research when handling requests for information, and explanations of the strongest indicators of abusive requests for information.