AI systems: German DPAs issue guidance on technical and organizational measures

Background

The guidance builds on the German data protection authorities’ ("DPAs") previous publication from 2019 on technical and organisational measures ("TOMs") for the development and operation of artificial intelligence ("AI") systems, one of the German DPAs' first joint publications regarding artificial intelligence (see also our blog post from May 2024 regarding other AI-related guidance by the German DPAs).

Like its predecessor, the 2025 guidance is structured around four key AI system development phases: design, development, implementation, and operation. It aligns recommended TOMs with seven "data protection goals" (Gewährleistungsziele) for each of these phases: Data minimisation, availability, confidentiality, integrity, intervenability, transparency and "unlinkability" (the latter mainly aims at ensuring purpose limitation and preventing unwanted or unexpected inferences or combinations). The goals trace back to the so-called "standard data protection model" ("SDM") developed by German DPAs, which provides a method for translating the GDPR's abstract legal requirements into actionable technical and organizational measures.

The updated guidance reflects that the world of AI has changed dramatically since 2019: Firstly, starting with the release of ChatGPT in November 2022, general purpose AI systems trained on huge amounts of highly diverse data have dominated the general public's perception of AI. In this context, while the 2019 guidance merely mentioned "artificial neural networks" as part of a list of several "AI procedures/methods" and suggests that, in principle, preference should be given to other, more easily comprehensible models, the 2025 version entirely omits a respective list and takes into account the broad range of AI technologies, from narrow AI systems with specific defined purpose to general purpose AI. Apart from that, the 2025 version puts more emphasis on the collection and choice of training data. Secondly, the EU AI Act, which entered into force on 1 August 2024, was reflected in the 2025 version, such as with regard to the definition of "artificial intelligence" and the concepts of training data, validation data, and testing data. All in all, the 2025 guidance seeks to take into account recent factual and legal developments, and is more than just a simple update.

Summary of Recommendations

The guidance only applies to AI systems that involve a processing of personal data in some form. For instance, an AI system designed to predict natural events would be out of scope. Further, the guidance does not address the very important data protection issues in practice relating to the collection of datasets, e.g., through web crawling and scraping.

Phase 1: Design

At the outset of the AI lifecycle, the guidance encourages a thorough assessment of selection of data, data inputs, system architecture, and the associated risks to data subjects. Specific recommendations include:

• Transparency: Maintain comprehensive documentation covering training data (e.g.: description of the dataset(s), sources), the AI system (purpose, architecture, algorithms), and safeguards regarding other data protection goals. Concepts like open source AI and explainable AI are encouraged for enhancing transparency.
• Data minimisation: Evaluate whether less data or alternative methods can achieve comparable performance with regard to:
  • System-design: Consider a system/algorithms with comparable performance that use(s) less data, or federated learning,
  • Data volume: Check if the number of data points can (potentially: empirically) be justified in relation to the purposes of the AI system,
  • Data categories: Prefer attributes with generalised character (e.g. "year" instead of "day-month-year" as regards date of birth); remove discriminating/bias-inducing attributes; use feature selection techniques and dimensionality reduction techniques; avoid collection of sensitive data under Art. 9 GDPR if possible,
  • Data typology: Use aggregated, synthetic, anonymised where possible,
  • Data sources: Check whether the data can be sourced from existing sources before newly collecting data from other sources.
• Unlinkability: If there is a legal prohibition to process certain personal data, ensure that such data cannot be inferred from ostensibly neutral attributes.
• Intervenability: Provide a time buffer between raw data collection, data subject notification, and model training to allow data subjects to exercise their GDPR rights. AI models that provide individuals with better access to exercising their rights are to be preferred (e.g., AI models that enable faster re-training after an erasure request, Support-Vector-Machines). Consider techniques like machine unlearning or selective fine-tuning.
• Availability: To enable immediate access to and processing of personal data, data management systems, such as big data databases, should be integrated.
• Integrity: Evaluate raw data for accuracy, quality, data source reliability, and potential biases. Robust data validation to prevent vulnerabilities (e.g. through data poisoning) is essential, including when pre-trained models are used (e.g. to prevent backdoor poisoning).
• Confidentiality: Consider techniques like differential privacy and regularisation as safeguards against unintended disclosure of personal data during AI system use.

Phase 2: Development

During model building and training, the design-phase decisions must be operationalised. The guidance calls for refinement of measures based on technical insights gained during development. Key points include:

• Transparency: Document validation methods chosen by the manufacturer/developer. AI Act requirements (Art. 11, 18, Annex VI, VII AI Act: technical documentation and conformity assessment) can be used as guideline.
• Data minimisation: Confirm that the AI model stores or reproduces personal data only where strictly necessary for its defined purpose.
• Unlinkability: Test whether the AI system produces unintended outputs or extrapolations beyond its defined purpose.
• Intervenability: Where automated individual decision-making (Art. 22 GDPR) is involved, AI systems must include user-accessible options to question or override results.
• Availability: Design training, testing, and validation infrastructure for reliability and minimal downtime.
• Integrity: Ensure integrity of the training, validation and testing datasets and integrity of the AI system. Post-training, the AI system should consistently produce accurate, robust outputs aligned with its defined function.
• Confidentiality: Assess risk of model leakage or unauthorised exposure of personal data through user queries or adversarial attacks, and implement appropriate countermeasures.

Phase 3: Implementation

In the implementation stage, particularly when development and operation are under unified control (as opposed to "AI-as-a-Service"), the guidance emphasises clear documentation and secure configuration:

• Transparency: Document the AI system's parameters, decision-making components (e.g. parameters for neural networks, data used for inference, trust indicators (AI alignment)), system versions, and available configuration options (including user-adjustable ones). This documentation should be intelligible to non-specialists and support "data protection by default" principles.
• Data minimisation: Opt for data-minimising configuration compatible with the accountability principle under the GDPR.
• Confidentiality: Use encryption and other security measures when distributing AI models or systems containing personal data.
• Unlinkability, intervenability, availability, and integrity: No distinct TOMs are identified for AI systems beyond general IT system requirements.

Phase 4: Operation and monitoring

Ongoing operation requires monitoring performance, adapting to legal and technical change, and ensuring long-term data protection compliance. Recommendations include:

• Transparency: Keep audit-proof logs of relevant AI model parameters (e.g., in decision trees), processing steps and processed data (per AI system), including if/which data is reused for further training.
• Data minimisation: Continuously assess whether processed data remains necessary and use reduced training data where possible. Retrain models to exclude redundant or discriminatory attributes. Define GDPR-compliant criteria for using operational data in future model training.
• Intervenability: Especially relevant in decision-support contexts, systems must allow meaningful human oversight. Data subject rights, particularly the right to data deletion (Art. 17 GDPR), may require model retraining or even full redevelopment. Machine unlearning and input/output filters are noted as possible (albeit sometimes temporary) solutions. In certain cases, the DPAs stress that compliance may require not only the "best available techniques" but application of the broader "state of scientific knowledge." 
• Integrity: Regularly assess whether changes in the knowledge domain (e.g. legal updates, evolving context, technical shifts) render models outdated or riskier. Implement measures such as retraining, input filtering, or detection of adversarial evasion attacks. Perform regular risk assessments (e.g. red teaming), particularly for publicly accessible systems.
• Confidentiality: Prevent unauthorised access to training data or model internals, especially when deploying via APIs. When integrating new data sources (e.g. in retrieval-augmented generation (RAG) systems), reassess whether access controls remain appropriate.

Takeaways for Businesses

The guidance states that the proposed measures are mere recommendations. Therefore, manufacturers and/or developers are in general free to achieve data protection compliance in a different way. However, the guidance offers a detailed catalogue of recommended safeguards and risk-mitigation strategies, and clearly signals the expectations of German supervisory authorities regarding the design and governance of AI systems processing personal data.

Adhering to the guidance may not only help to build reliable and effective technical and organizational safeguards, but assist companies in demonstrating compliance with legal requirements and therefore help to prevent potential discussions with German DPAs. In any case, the guidance indicates that the German DPAs will in the future likely expect a systematic approach to TOMs and engagement with specific risks and legal issues resulting from the development and operation of AI, even if there may not be perfect solutions for all issues, yet.

Authored by Martin Pflueger, Henrik Hanssen, and Marcus Haeussling.