When manufacturers are required to share data, a key question arises: on what terms? The Data Act provides the answer in five letters: FRAND – Fair, Reasonable and Non-Discriminatory. What does this mean in practice?

On 26 March 2026, the Bundestag passed the Data Implementation Act (DADG). Germany has thus created the national legal framework required of member states by the EU Data Act - after a significant delay. Below we provide an overview of the background, content and fine regulations of the new law.

With a new cybersecurity package (Cybersecurity Act 2), Brussels wants to take cybersecurity in the EU to a new level: mandatory certifications, stricter supervision and a stronger ENISA are intended to make the digital single market resilient to current and future threats. The requirements for companies under the NIS 2 Directive are also under review.

Digitalisation in agriculture is picking up speed: smart agricultural machinery, sensor technology in the field and data platforms are no longer the future, but everyday life. The EU Data Act, which sets rules for accessing, using and sharing data, is becoming a decisive factor here:

On 18 October 2024, the Federal Council approved the "Fourth Act to Reduce Bureaucracy for Citizens, Business and the Administration". The aim: less effort for business, more time for the core business. A central element of the law is the shortening of the retention period for accounting documents under commercial and tax law from ten to eight years. What initially sounds like a noticeable relief, however, also has a data protection component that companies should not underestimate.

A growing number of companies are using AI chatbots to provide customers with quick and uncomplicated support with product questions. This raises the question of how such a system can be operated in compliance with data protection regulations and what requirements arise from the AI Regulation (KI-VO). A typical application scenario is an AI-enhanced FAQ chatbot, for example, which is obtained from appropriately specialised software providers to answer frequently asked questions on a website automatically and, improved by AI, in an increasingly targeted manner.

With the "Lindenapotheke" judgement on health data, the European Court of Justice cemented its extremely broad interpretation of Art. 9 GDPR. The consequences - particularly for online retailers - are considerable.

The storage and use of credit rating data is subject to strict data protection regulations. The use of creditworthiness data by companies can take place in two directions: On the one hand, companies access creditworthiness information in order to assess risks when awarding contracts. On the other hand, they themselves report data to SCHUFA Holding AG in order to provide the overall system with information.

Collective agreements, in particular works agreements, are only a suitable legal basis for the processing of employee data if they fulfil high requirements. The European Court of Justice (ECJ) recently made this key statement as part of a preliminary ruling procedure.

The transfer of data across international borders is essential for many companies in the digitalized world but poses significant regulatory challenges, particularly in the EU.

American journalist Jeff Javis is Niko Härting's guest in episode 76.