Data protection is a key and important element of the European single market, especially given the rapid digitalisation of private and public life. However, the previous implementation of the GDPR has shown that its high requirements present significant challenges for businesses. In the future, the legislator should refrain from "one-size-fits-all" solutions and instead provide further SME exemptions.

The existing exception for SMEs from the obligation to create a processing directory is hardly applied in practice. This is because it does not apply when SMEs "process personal data more than occasionally." Smaller companies in particular, which handle payroll themselves, regularly process personal data. Hence, the criterion of occasional processing should be removed. Similarly, the regulation stating that the specific needs of SMEs should be considered for the application of the directive is not adhered to in practice. Clear reliefs or exemptions for SMEs, as already provided for in the GDPR, should be pursued. For data-poor processing or data handling with low or normal risk, the comprehensive documentation, information, and verification obligations are disproportionate and inappropriate. At the same time, the level of data protection does not increase. Therefore, the risk-based approach should be consistently implemented in the future.

In addition, documentation, information, and verification obligations should differentiate whether data processing is voluntary or legally mandated. When supervisory authorities review these obligations, specific case-by-case checks should take precedence over comprehensive accountability duties of companies.

To address legal uncertainty, textual clarifications are needed directly within the GDPR or at least within its recitals. This includes, for example, uncertainties related to the obligation to provide copies of data. Textual clarification represents a necessary step towards urgently required standardisation. Templates, checklists, as well as guidelines and recommendations that are practical and allow entrepreneurial freedom can then curb any remaining legal uncertainties.

There is widespread uncertainty in the economy regarding compensation law. The judicial practice in member states is extremely inconsistent even in cases that are almost identical. Despite European Court of Justice rulings that have clarified individual questions, it is often unclear under what conditions and to what extent compensation for violations of the GDPR can be claimed in practice.

Particularly in the context of class actions, there is a threat of a situation in which ongoing legal uncertainty combined with the expected collective lawsuits could inhibit strategic innovation potential. There should be clear regulations stipulating the strict conditions under which an entitlement to bring class actions may be granted. The significance of data protection law alone, in the view of the economy, does not yet justify such an entitlement to bring class actions. In particular, the requirement for demonstrable personal fault for a claim for damages should not be waived. Additionally, a statutory materiality threshold for claims for damages under the GDPR should be introduced.

Data protection regulations can no longer be determined by individual nation-states, owing to global data flows; instead, cross-border regulations are needed. The GDPR can only serve as one component on the path toward international regulation. The "Brussels Effect" anticipated by the EU, whereby many countries align with the GDPR's content requirements, has not materialised. As long as binding international agreements are absent, the EU should act more swiftly using the instrument of adequacy decisions. Furthermore, such decisions should be enduring and reliable. Where no adequacy decision exists, the EU Commission and data protection authorities should promptly release consistent information about the data protection level in third countries so that individual authorities and businesses do not need to conduct this research independently.

The EU-wide uniform implementation sought by the GDPR has not yet been realised. The possibility of opt-out clauses leads to fragmentation of the law in practice, resulting in differing market conditions. The opt-out clauses provided for EU member states under the GDPR should only be used restrictively. In particular, national regulations must not result in excessive regulation (so-called 'gold-plating') (compare chapter 'Bureaucracy Reduction and Better Regulation'). In Germany, for instance, rules governing the appointment of company data protection officers and employee data protection have been established. At the state level, data protection provisions should be standardised. More checklists and templates should be published to promote the nationwide uniform implementation of data protection laws. A reasonable balance must be struck between data protection and technological developments in the working world. Otherwise, there is a risk that Germany will stagnate or be left behind in the digitalisation journey. Data protection must be practicable and enable data processing in the context of advancements in the digital world, for instance, concerning artificial intelligence.

A future E-Privacy Regulation aimed at protecting against unsolicited data tracking should establish a reliable, practical, and technology-neutral legal framework that reflects modern information and consumer needs. The interests of businesses, particularly SMEs, must also be adequately considered. The rules should be consistent and coherent with the GDPR and kept as streamlined as possible.

The legal framework for the data economy should be designed uniformly at least at the European Union (EU) level. A reliable legal framework with clear, competitive, and internationally harmonized conditions is needed to enable data processing. In this regard, the interpretation of standards should be guided by whether the affected entities are actually able to fulfill the obligations in practice. When establishing the legal framework for the data economy, coherence and consistency with existing regulations, such as the General Data Protection Regulation (GDPR), are urgently required. However, data protection rules must not be disproportionately expanded, as this jeopardizes competitiveness and carries the risk of relocation to foreign countries where requirements may be easier to meet.