Germany: Rising Data Subject Requests at Data Protection Supervisory Authorities
I. Record Case Numbers at Supervisory Authorities
The current activity reports of the German data protection supervisory authorities for 2025 present a consistent picture: the number of data subject requests and complaints has risen substantially across the board – reaching historic highs in several federal states since the GDPR entered into force.
The Bavarian State Office for Data Protection Supervision (BayLDA) recorded a total of 9,746 complaints and audit requests in the 2025 reporting year – an increase of 61% compared to the previous year and the highest level since the GDPR took effect. The Federal Commissioner for Data Protection and Freedom of Information (BfDI) registered 11,824 submissions, representing a 36% increase over 2024 and 52% over 2023; the number of complaints has more than doubled within two years. The Berlin Commissioner for Data Protection and Freedom of Information alone recorded 8,436 submissions between January and November 2025, including 2,644 formal complaints under Art. 77 GDPR and 5,772 requests from data subjects asserting their rights. Comparable increases are reported by other state authorities, such as the Saxon Data Protection Commissioner with a 29% rise.
This trend is neither coincidental nor mere statistical noise. The authorities’ reports consistently identify concrete drivers – most prominently the use of artificial intelligence.
II. AI as a Systemic Amplifier
A central finding of the activity reports: large language models (LLMs) have drastically lowered the threshold for filing complaints. Data subjects can now generate formally complete, legally structured complaint letters with just a few clicks – without any legal knowledge or significant effort. The Berlin supervisory authority notes that AI chatbots have made data protection rights and authorities more visible to citizens and have considerably simplified the drafting of submissions.
This has consequences beyond a mere increase in volume: AI-generated submissions frequently contain unverified or inaccurate factual statements – in extreme cases, chat logs with AI systems are submitted directly as complaints. This creates ambiguities and additional review effort that prolongs proceedings at supervisory authorities while simultaneously increasing the burden on the corporate side. The BayLDA explicitly calls for AI-generated complaints to be checked for plausibility before submission.
Moreover, AI is increasingly being used not only to draft complaints, but also to strategically identify legal options: automated tools enable the systematic and scalable detection of data protection deficiencies in websites or consent processes, and the deliberate triggering of waves of complaints.
III. Instrumentalisation of Data Protection Law – Complaints as a Means of Pressure
Alongside the technological component, the authorities identify a further structural development: in a growing number of cases, data protection complaints are not filed primarily to protect data protection interests, but are used as a low-threshold, cost-free means of pressure in other disputes. The BayLDA describes this as a “stress test” for supervision and calls for corrective regulatory action.
This practice is particularly pronounced in the context of employment law disputes. When employees or former workers are in conflict with their employer, a data protection complaint is filed with the supervisory authority in parallel with the employment law proceedings – for example, regarding access rights under Art. 15 GDPR, workplace video surveillance, or the processing of employee data. Disputes with insurance companies follow the same pattern. AI acts as an amplifier here, since identifying potential data protection deficiencies and drafting the relevant complaints can now be accomplished without legal assistance.
For companies, this is doubly significant: such a complaint must be formally processed regardless of its motivation. Those who cannot maintain reliable documentation of their processing activities, legal bases, and internal processes will lose such proceedings – even when the data protection substance of a tactically motivated submission is weak.
IV. Key Complaint Area: Unlawful Advertising
Direct marketing remains a persistently complaint-intensive area. Unlawful email advertising, disregarded objections to marketing, and absent or defective consent have been among the top issues for German data protection supervision for years – and this finding is confirmed again in the 2025 reporting year.
The CJEU recently sharpened the legal architecture here: in Inteligo Media (13 November 2025, C-654/23) it confirmed that, for direct e-mail marketing, Art. 13(2) of the ePrivacy Directive – transposed in Germany by § 7(3) UWG – is lex specialis to the GDPR, so where the existing-customer exemption applies, no separate Art. 6(1) GDPR basis is required. The catch is that the exemption is narrow and its conditions cumulative, so in practice they are frequently not met – and where they are not, the mailing is unlawful and the GDPR’s ancillary duties continue to apply regardless.
This is where AI bites hardest in the advertising context. Recipients who are unsure about an unwanted message increasingly turn to a chatbot for legal advice, and the tool does not stop at explaining the law: it flags the apparent deficiency, identifies the relevant entitlement – objection, access or erasure – and drafts the corresponding request or complaint. What was previously a vague sense of annoyance is converted, within minutes and without any legal knowledge, into a formally structured data subject request or a complaint to the supervisory authority. For companies, the consequence is that even minor or purely formal advertising deficiencies now translate into incoming requests and proceedings far more readily than before.
V. Conclusion
Read together, the 2025 activity reports point to a structural rather than a cyclical shift. The record case numbers are driven by three factors that reinforce one another: artificial intelligence has lowered the threshold for filing (while also introducing noise in the form of inaccurate or AI-hallucinated legal assertions); data protection complaints are increasingly deployed as low-threshold leverage in collateral employment and insurance disputes; and a more rights-aware public is asserting access, erasure and portability claims with growing confidence. None of these drivers is likely to reverse.
For us as advisers, the practical centre of gravity moves away from the substantive merits of the individual complaint and towards the client’s evidentiary posture. A submission must be processed by the authority regardless of the motive behind it, so the decisive question is rarely whether the underlying allegation is strong, but whether the controller can produce a coherent, contemporaneous accountability record under Art. 5(2) GDPR. Where that record exists, even a tactically motivated complaint can be answered substantively and brought to a swift close; where it does not, a thin complaint can still escalate into fine proceedings.
This suggests a clear direction for our counsel. Advice on data protection can no longer be siloed: because complaints increasingly flank employment and marketing disputes, the accountability record should be built jointly with employment and marketing workstreams and kept litigation-ready before the authority makes contact. Direct-marketing consent and objection handling, employee-data documentation, and scalable processes for handling automated mass requests deserve particular attention, as these are precisely the areas where AI-assisted tools make deficiencies easy to detect and to weaponise. At the same time, the rise of AI-generated submissions cuts both ways: their frequent factual and legal inaccuracies offer genuine openings on the response side. The most defensible position for clients is therefore not fine anxiety, but demonstrable governance – and helping them reach it, before the first complaint arrives, is where practitioners now add the most value.
Article provided by INPLP member: Dr. Georg Schröder, LLM. (Legal Data, Germany)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
