Developments in Data Protection in 2026
What the MPK Resolution Means for Data Protection & Data Regulation in Germany
On December 4, 2025, the federal government and the states adopted a comprehensive agenda for modernizing the state during the Conference of Minister Presidents (MPK). The goal is to make administration and regulation faster, more digital, and less bureaucratic.
Key points for data protection in 2026:
- Reform of data protection oversight
For the non-public sector, the distribution of responsibilities in data protection supervision is to be reorganized by the end of 2027. The focus is on a greater consolidation of powers, for example within the Federal Data Protection Commissioner (BfDI) or selected state supervisory authorities. - Repeal of the obligation to appoint a DPO under Section 38(1) BDSG
A legislative initiative is planned by December 31, 2026, that would limit the obligation to appoint a data protection officer in the non-public sector to the requirements of the GDPR (Art. 37 GDPR). The previously stricter German special provision in the BDSG would thus be eliminated. - Anonymization and pseudonymization in the context of AI training and deployment
By the end of 2027 at the latest, a new BDSG regulation is to be proposed that allows public bodies to anonymize or pseudonymize personal data for AI training and use—at least on a transitional basis, until corresponding adjustments are made at the EU level.
Here you can find the MPK resolution (German).
The Omnibus Regulation on the GDPR
The proposal for a Digital Omnibus Regulation is in an advanced stage of the EU legislative process and is currently being reviewed by the Parliament and the Council. In addition to the Data Act, it specifically addresses key provisions of the GDPR.
Possible GDPR changes relevant to business practice:
- Narrower definition of personal data
Data should only be considered personal if the relevant controller can realistically identify individuals, and no longer if this is merely theoretically possible by third parties. - Simplified processing of sensitive data for AI
New exceptions are to be created for the development and operation of AI systems, which will also apply to special categories of personal data. - Restrictions on data subjects’ rights (especially the right of access)
It should be possible to limit or deny rights of access and information, for example in cases of misuse. - Simplified or eliminated information obligations
In certain situations, privacy notices will no longer need to be provided, or will only need to be provided in a simplified form. - Relaxations regarding automated decision-making & profiling
Existing safeguards should be made more flexible, particularly in the context of AI. - Changes to reporting obligations for data breaches
The reporting deadline is to be extended to 96 hours, and a central “single entry point” for reports under multiple legal acts (NIS2, GDPR, DORA, eIDAS, CRA) is to be established. - Simplifications for data protection impact assessments
Blacklists and whitelists for DPIAs will in the future be created centrally across Europe by the EDPB.
A detailed legal analysis of the planned changes is provided in the report by noyb.
Developments in AI Governance 2026
AI Act and Guidelines for the Implementation of the AI Act
With the AI Act already in force, the obligations for high-risk AI systems under Annex III and the transparency obligations under Article 50 will take effect on August 2, 2026. However, the planned omnibus regulation on the AI Act could still delay this timeline.
The European Commission published initial guidelines at the end of 2025. Further details are expected in 2026, particularly for providers and operators of high-risk AI.
Note: At caralegal, we offer a wide range of resources, including German-language webinars on implementing the AI Act, specifically tailored to high-risk AI deployers.
Omnibus Regulation for the AI Act
An omnibus proposal for the AI Act is also on the table and is currently being reviewed in the legislative process. A binding timeline does not yet exist, but entry into force before Q3 2026 is considered realistic.
Possible changes for business practices:
Elimination of the AI literacy requirement for companies under Article 4
Responsibility for AI literacy should lie primarily with the European Commission and the member states, and no longer directly with companies.New legal basis for bias correction in AI
Under certain conditions, sensitive data (Art. 9 GDPR) may be used to correct biases in AI systems.Elimination of the registration requirement for certain high-risk AI systems
Systems falling under an exemption under Art. 6(3) of the AI Act should no longer be required to be registered in an EU database.Change in the deadline for the start of obligations for high-risk AI systems
Obligations are to take effect only once sufficient guidelines are available, but no later than December 2027 (Annex III) or August 2028 (Annex I).Simplified documentation requirements for SMEs and SMCs
Companies with fewer than 750 employees and below predefined revenue or balance sheet thresholds are to be subject to reduced documentation and quality management obligations.Grace period for “watermarking” of AI outputs
The labeling requirement for certain AI outputs under Art. 50(2) is not scheduled to take effect until December 2027.
Outlook on caralegal product innovations in 2026
caralegal will continue to support customers in 2026 in implementing data protection requirements efficiently and in a practical manner.
Further development of existing flows with a focus on information security
All existing modules of the caralegal platform (Privacy Flow, AI Flow, Risk Flow, and Audit & Vendor Flow) are continuously refined and expanded with additional functionality.
Numerous initiatives are also planned in 2026 to further strengthen our OneFlow approach. Our goal is to continue breaking down silos between individual compliance topics, promote end-to-end processes, and achieve sustainable efficiency gains for our customers. In doing so, regulations in the area of information security will also be increasingly incorporated.
Supporting business processes through case management and AI assistance
In 2026, we will place a clear focus on even closer integration between specialist and regulatory departments. Through the targeted expansion of our case management functionalities, we are creating a central, shared working foundation for all involved roles across processes related to data regulation.
Specialist departments and legal experts receive structured, context-relevant information exactly when they need it. In addition, for complex issues, we provide an AI-based assistant that specifically supports specialist departments, e.g. by classifying regulatory issues, preparing relevant information, and efficiently preparing legal assessments.
More customer-specific configuration through intelligent workflow engines
To further integrate caralegal into our customers’ existing IT landscapes, we will expand the options for customized workflow orchestration in 2026. Intelligent workflow engines enable the flexible mapping of company-specific processes across systems, departments, and roles.
This enables regulatory requirements to be seamlessly integrated into operational workflows, reduces manual interfaces, and enables the targeted use of automation potential.
Conclusion: Data Protection in 2026
Data protection will remain a key success factor for companies in 2026, although under different circumstances. With the planned omnibus regulations at the EU level and the announced reform of the BDSG in Germany, the regulatory focus is shifting noticeably: away from purely formal obligations toward more risk-based, differentiated requirements.
For companies, this does not mean less responsibility, but rather the opening up of new opportunities amid greater complexity. Those who assess the upcoming changes early on, integrate data protection and AI governance, and adapt their processes accordingly can reduce regulatory risks while securing strategic advantages.
caralegal supports you in navigating these developments and integrating data protection and AI compliance efficiently and hands-on into your business processes.





