GDPR in Germany: Three Quarters of Companies Consider Data Protection Excessive

Executive Summary

Ten years after the European General Data Protection Regulation (GDPR) came into force, 71 percent of German companies have largely or fully implemented the requirements – in 2018, this figure was only seven percent. At the same time, the perceived burden has increased dramatically: 81 percent now complain about complexity in business processes (2016: 25 percent), 97 percent rate the effort as high. The proportion of companies that consider Germany's data protection standards excessive has nearly doubled from 40 percent (2020) to 72 percent (2025). The basis is an annual survey by the digital association Bitkom with a recent 603 participants.

People

• Ralf Wintergerst (Bitkom President)

Topics

• General Data Protection Regulation (GDPR)
• Corporate burden and compliance
• Artificial intelligence and data protection
• International data transfers

Clarus Lead

German industry is calling for a fundamental reform of the GDPR: The gap between compliance success rate and satisfaction is growing dramatically. With 82 percent, companies cite legal uncertainty as their greatest challenge in 2025 – in 2017, this was only 35 percent. The tension between data protection and artificial intelligence is perceived as particularly critical: While 59 percent see European data protection theoretically as an AI advantage, 69 percent state that data protection practically hinders the training of AI models (2023: 42 percent). The planned European "Digital Omnibus" could provide a remedy here – but trilog negotiations have so far been inconclusive.

Detailed Summary

The Bitkom study documents a growing implementation paradox: While formal compliance increases, practical acceptance declines. 97 percent rate data protection effort as high, of which 44 percent rate it as very high. The perceived over-regulation has become the dominant narrative – a reversal of the political consensus from 2020.

The central area of conflict lies in the interplay with digitalization and AI development. 59 percent of companies report that data pooling projects have failed due to data protection requirements or were never launched (2020: 41 percent). 63 percent are convinced that strict EU data protection rules are displacing AI companies abroad. The problem of international data transfers remains unresolved: 61 percent of businesses transfer data to the USA – the most important third country – and 71 percent demand sustainable solutions from politicians (2021: 32 percent).

Bitkom President Ralf Wintergerst affirms that data protection is "a central pillar of the digital world," but sees a need for reform. The expected gains from more uniform competitive conditions, legal certainty, and less bureaucracy have failed to materialize.

Key Findings

• Implementation rate increased, acceptance decreased: 71% compliance rate with 72% critical assessment of Germany
• Dramatic increase in perceived burden: Complexity from 25% (2016) to 81% (2025); legal uncertainty from 35% (2017) to 82% (2025)
• AI brake as central line of conflict: 69% see data protection as an AI training obstacle; 59% report failed data pooling projects

Critical Questions

1. Evidence: The study is based on 603 participants – how was representativeness ensured? Which sectors dominate the sample, and to what extent do sectoral differences (e.g., fintech vs. crafts) influence the results?

2. Conflicts of Interest: The digital association Bitkom represents the economic interests of its members. To what extent could the focus on burden and regulatory criticism correspond to the association's advocacy position?

3. Causality: Is the increased perception of burden (81% in 2025 vs. 25% in 2016) a result of actually stricter requirements, or have company expectations shifted?

4. AI Transfer: The statement that data protection displaces AI companies (63%) is based on corporate perception – is there empirical evidence of actual relocations?

5. Legal Certainty: What specific legal questions cause companies the greatest difficulty? Do these differ between SMEs and large corporations?

6. Data Transfers: If 61% transfer data to the USA – how are Schrems II requirements currently being practiced, and where lies the gray area?

Bibliography

Primary Source: GDPR – Nearly Three Quarters of Companies Consider German Data Protection Excessive – heise.de

Supplementary Sources:

1. Bitkom Research: Annual corporate survey (2016–2025)
2. Digital Omnibus (EU legislative process, trilog negotiations)

Verification Status: ✓ 2025

This text was created with the support of an AI model. Editorial Responsibility: clarus.news | Fact-check: 2025