State data protection officers report record complaints and data breaches
More data breaches, more AI cases. Data protection authorities are at their limit. The reason is AI, but also cheap technology and video surveillance.
(Image: Trismegist san / Shutterstock.com)
With increasing digitalization, the number of data protection complaints is also rising – and thus the burden on data protection authorities. This is shown by the activity reports published so far for 2025. In Hesse, the number of complaints rose by 58 percent to 6,070 cases, according to the Hessian Commissioner for Data Protection and Freedom of Information (HBDI), Alexander Roßnagel. In total, the authority processed more than 11,000 cases, and the reported data protection violations also reached a record high of 2,730 cases. Credit bureaus, video surveillance, and employee data were particularly affected.
The growing use of artificial intelligence is considered a major cause. AI acts as an amplifier in several respects: it lowers the hurdles for complaints, as many submissions can now be created automatically or with AI support. On the other hand, the broader use of AI systems leads to new problems. Opaque decisions, incorrect or “hallucinated” results, and unclear data processing increasingly cause uncertainty and thus more complaints. Many affected individuals now have their submissions formulated by chatbots, which often refer to the data protection supervisory authority as a free point of contact.
Despite increasing demands, the staffing levels in the authorities remain largely constant. Roßnagel therefore announced that prioritization and longer processing times will hardly be avoidable in the future. At the same time, he emphasizes consulting and preventive measures – for example, regarding the data protection-compliant use of AI or in the healthcare sector.
Growing sensitivity to data protection
RoĂźnagel, like other data protection officers, describes the increase as an expression of growing sensitivity to data protection in an increasingly digitized society. Citizens attach more importance to their personal rights and more frequently seek the support of the supervisory authority. At the same time, however, the burden on the authority is also increasing significantly, while the number of staff has remained unchanged for years.
The volume of complaints increased disproportionately in individual areas. For credit bureaus, which collect information on creditworthiness, among other things, the number of complaints shot up from 503 to 1613. In the area of video surveillance, cases increased by 83 percent from 295 to 539, and in employee data protection, also by 83 percent from 287 to 525. Lack of cooperation also led to sanctions. “Responsible parties are legally obliged to cooperate with the data protection supervisory authority,” says Roßnagel.
Consulting remains a focus, for example, on setting up a trust center for the protection of sensitive health data. In addition, doctors leaving a group practice wanted to know what they needed to do to protect patient records. He also advised on the registration area of doctor's practices and emergency rooms to maintain patient confidentiality.
Microsoft 365: RoĂźnagel sees more legal certainty
The use of Microsoft 365 is once again a topic. After years of uncertainty, Roßnagel now concludes that Microsoft 365 can be used in compliance with data protection regulations in Hesse – but only under certain conditions and if responsible parties consistently fulfill their obligations.
The basis for this are changes to Microsoft's Data Protection Addendum, additional transparency documents, technical adjustments such as the processing of almost all personal data in the European Economic Area, and the EU adequacy decision on the EU-US Data Privacy Framework. At the same time, RoĂźnagel emphasizes that this does not mean a blanket clearance: Responsible parties must continue to examine and document legal bases, configuration, deletion concepts, and third-country transfers themselves.
Dependence on technology from the USA and China remains a problem
In principle, the report warns against the strong dependence on IT systems and digital services of large corporations from the USA and China. This dependence is further exacerbated using artificial intelligence. On the one hand, many of these systems do not fully meet the requirements of the GDPR, and on the other hand, Europe's political and economic blackmailability is growing. RoĂźnagel therefore advocates for greater digital sovereignty and data protection-friendly alternatives.
In the area of AI, the HBDI also reports on the joint examination procedure of several German data protection supervisory authorities against DeepSeek. In the opinion of the authorities, there are considerable doubts whether the transfer of personal data to China is compatible with the GDPR. DeepSeek has therefore been asked to remove its app from German stores or to make the data transfers compliant with the law. The report also refers to international reactions, including measures in Italy, the Czech Republic, the Netherlands, and South Korea.
Railways, Police, Lawyers
As usual, the activity reports also describe a series of specific cases. These include the already highly publicized dispute over Deutsche Bahn's Sparpreisticket. RoĂźnagel has given his data protection assessment. According to this, making the purchase of cheap tickets dependent on providing an email address or mobile phone number was a violation of data protection. The Higher Regional Court of Frankfurt am Main confirmed this view in July 2025.
In the police sector, the HBDI imposed several fines on police officers for unauthorized data queries for private purposes. In a particularly serious case, officers took photos of a holding cell with their smartphones and then shared them in a WhatsApp group. The fines ranged from 800 to 1500 euros. For the first time, the authority also sanctioned a lawyer who showed unredacted criminal records of clients on Instagram to advertise his law firm. Names, addresses, dates of birth, nationalities, and accusations were visible. The lawyer received a fine of 4000 euros.
Advertising with Corona test data and ignored advertising objections
Several sanctioning proceedings also concerned unauthorized advertising. For example, a company used data from previous Corona test centers to send advertising emails for other products without consent. The HBDI prohibited further use of the email addresses and initiated fine proceedings. Furthermore, an older case against an IT company that had developed an online solution for retrieving test results for Corona test centers, which allowed access to test results due to a security vulnerability, was also concluded. In another case, a technical error led to a travel company sending advertising to over 5000 people, even though they had objected to the use of their data.
Cyberattacks on nursing homes and more
Reports following cyberattacks, phishing, malware, and security vulnerabilities increased from 482 to 625 cases. Attacks on contract processors were particularly in focus, as they process data from many companies and authorities simultaneously, and incidents can therefore quickly escalate. One example was numerous ransomware attacks on nursing homes. Another concerned an aviation group, where data of around 100,000 passengers was leaked via a compromised contract processor. The supervisory authority particularly criticized the sluggish cooperation and the initially hesitant information provided to those affected.
Tool for finding personal data in data leaks
The HBDI is trying to respond to the growing workload of data protection authorities with prioritization, new tools, consulting, and stronger cooperation – for example, with the introduction of the payment card for asylum seekers, with website checks for associations, or with its own open-source tool for analyzing data publications on the darknet, which was published on Open-Code.
Videos by heise
Also more submissions in Baden-WĂĽrttemberg
The State Commissioner for Data Protection and Freedom of Information Baden-WĂĽrttemberg, Prof. Tobias Keber, presented his 41st activity report at the end of March. As in other data protection authorities, the number of submissions due to AI has also risen significantly here. In 2025, the state recorded a total of 7,673 complaints, an increase of over 90 percent compared to the previous year. The number of reported data breaches also rose to 4,059, an increase of almost 20 percent. For LfDI Prof. Tobias Keber, this is not a cause for alarm, but evidence of growing awareness: People want their data protection rights to be taken seriously.
In 2025, the fine office issued a total of 101 fine notices with a total sum of 308,850 euros. Well-known cases include a taxi company with illegal audio recordings and a police officer who had accessed registration data. In addition, an automotive company was fined after copies of customers' driver's licenses and identity cards fell out of a disposal vehicle onto the street. When presenting the report, Keber also emphasized: “The biggest concerns for me are not the reported data breaches, but those that are not reported.”
Technology does more than we realize
At the presentation of the report, Keber emphasized that even people who are conscious of data protection often do not realize what is technically possible. Using mobility apps as an example, he explained: Before traveling to Berlin, you turn off GPS. “GPS has been turned off, but if a service is now used via IP – and that is usually the case – then communication on the internet is IP-based. […] This means that geolocation is also possible with it. This means that even though GPS has been turned off, this location information was transmitted on an IP basis. And one is often no longer aware of this. But this shows that technology does many things that are not perhaps fully clear to us in their ultimate consequences,” said Keber.
No topic occupied the authority in 2025 (PDF) as much as artificial intelligence. In October, the Data Protection Conference, which Keber chairs this year, published a guidance document on Retrieval Augmented Generation (RAG), in which the HBDl also participated.
Keber is pursuing a constructive course. In an interview with heise online in January, he emphasized: “Innovation and data protection go very well together and are not a contradiction.” His MindBW project is intended to support AI real-world laboratories in Baden-Württemberg and create legal certainty for companies and research institutions.
Video surveillance: Complaints increased by 80 percent
In addition to AI, video surveillance has become the second major area of dispute. The number of complaints in this area rose from 442 to 800 cases – an increase of around 80 percent. The cases range from cameras in restaurants with illegal audio recordings to video surveillance in schools and swimming pools that monitor changing rooms.
The authority also critically assesses a planned amendment to the State Data Protection Act: “The hitherto very limited scope of application for video surveillance has been expanded in § 18 LDSG-new”, which Keber considers to be unconstitutional and contrary to European law. Keber also views the amendment to the Police Act, which enables the Baden-Württemberg police to conduct cross-procedural data analysis, critically.
Video surveillance in a dermatology practice
In one case from the healthcare sector, a fine procedure was initiated against the operators of a large dermatological practice after it became known that seven cameras were monitoring patients and employees, sometimes even in treatment rooms. The video recordings, some of which also concerned undressed patients, were made centrally visible on a monitor without transparent information or effective consent. The practice justified the surveillance with increased efficiency, but the data protection authority assessed this as a disproportionate interference with particularly sensitive health data and personal rights. The procedure is not yet formally concluded, pending a question to Keber, but he announced at the presentation of the report: “This will have consequences.”
Criticism of identification number for students
The new school law, which provides for an individual, lifelong identification number for all students – including central storage of grades, performance data, and in the future also health data – also caused friction with the data protection authority. Keber clearly calls this “data retention of sensitive data of a vulnerable group of people” in the report. With this project, the purpose must be examined very carefully, among other things.
Between deregulation and fundamental rights protection
At the European level, Keber observes the ongoing reform projects with skepticism. The EU Commission's Digital Omnibus aims to simplify the GDPR, the AI Regulation, and the Data Act, among other things. However, he warns against hasty decisions. In an interview with heise online, he said: “If innovation is only possible by eroding fundamental rights, then it is not sustainable innovation.” As chairman of the DSK, he wants to constructively shape the reform debate and ensure that European protection standards are not sacrificed lightly.
(mack)
