The Bayerisches Landesamt fur Datenschutzaufsicht, or BayLDA, the Bavarian data protection authority responsible for the private sector, published its 15th annual activity report in March 2026. The document covers the 2025 calendar year and runs to more than 80 pages. Its opening pages describe what President Michael Will calls a Belastungstest - a stress test - for the supervisory system. The numbers behind that description are striking. Total complaints and supervisory prompts reached 9,746, a 61 percent increase compared to 2024 and the highest figure since the GDPR took effect. Data breach notifications rose by 23 percent to 3,603. At the same time, formal advisory requests from businesses and citizens fell to a record low of 1,274.

baylda_report_15
baylda_report_15.pdf
1 MB
download-circle

For marketing professionals operating in Europe, the report is more than a regional compliance document. It maps where enforcement pressure is concentrating, how AI is changing the volume and character of regulatory complaints, and which advertising-adjacent practices - from direct marketing consent to political targeting - are drawing specific scrutiny. Germany's data protection landscape intersects directly with the tools and platforms used across digital advertising, and this report signals where that intersection is becoming uncomfortable.

The complaint surge and the role of large language models

Of the 9,746 total inputs received by BayLDA in 2025, 67 percent were classified as formal complaints under Article 77 of the GDPR, while 21 percent were supervisory prompts without personal affectedness. The remaining 12 percent had not yet been categorized at year-end.

According to the report, a significant factor in the surge is the spread of large language models. The authority writes that barriers to filing a data protection complaint have dropped considerably because of the availability of AI tools. Where previously a complainant needed to invest some effort in drafting a written complaint or completing an online form, many individuals now use LLMs to describe their situation and generate a formal letter. The authority describes this as fundamentally positive in one respect - it broadens access to a free regulatory channel that had previously required some literacy and patience. But it also introduces problems.

In practice, the BayLDA reports receiving chat logs from conversations with language models as complaint submissions, or cases where AI-generated placeholder text was left unfilled. In other instances, the model simply invented details, which were then forwarded to the authority without verification. According to the report, these submissions create unnecessary resource consumption and extend the duration of proceedings. The authority appeals to those affected to review AI-generated submissions before forwarding them.

A second pattern described in the report is more structurally significant. A growing number of complaints are being filed not because data protection is the primary concern of the individual, but because AI tools have identified the supervisory complaint mechanism as a low-cost, no-fee instrument for pursuing disputes that are fundamentally civil in nature. Examples cited in the report include complaints about the correction of insurance assessments on disability, or the deletion of third-party testimonials in custody and employment protection proceedings. The underlying concern may be legitimate, but the appropriate venue is a civil court. The BayLDA notes that such misuse cases generate disproportionate follow-on disputes in the form of objections, supervisory complaints, and administrative court proceedings - and sometimes online harassment of the authority's own staff.

The authority handled 704 cooperation proceedings under the GDPR's cross-border mechanism in 2025, of which 101 were closed during the year and 603 remained open at year-end. Of the 162 procedures commenced in 2025, BayLDA held a lead role in 18. Processing times in complex cross-border cases reflect the technical and legal depth involved.

What the complaint distribution reveals

The largest category of formal complaints received in 2025 concerned internet and digital services, accounting for 21 percent of the total. This category includes data subject rights in online environments, tracking technologies, and social media. Video surveillance followed at 20 percent, with most cases arising from private use of cameras in residential or neighborhood settings. Advertising and marketing complaints accounted for 12 percent. Employee data protection cases and health-related complaints each registered a 2 percent increase compared to the prior year. All other sector proportions remained broadly stable.

Despite the volume, the authority reports that 62 percent of all formal complaints closed in 2025 were resolved within three months. Cases involving multiple parties, technical complexity, or cross-border elements took longer. A chart in the report shows the accumulating backlog of unresolved cases - what the document describes as a Schuldenberg, or debt pile - growing steadily since 2020 and accelerating sharply in 2025.

One of the sections most immediately relevant to marketing practitioners concerns direct marketing consent enforcement. The BayLDA reports a measurable increase in complaints from individuals who received personalized marketing emails, newsletters, or written offers from organizations entirely unknown to them. When those individuals asked about the source of their data, companies typically cited participation in an online sweepstake and the resulting double opt-in as the legal basis for contact.

The authority's position, supported by a German Federal Court of Justice ruling from February 10, 2011 (reference I ZR 164/09), is that recording an IP address and a timestamp is not sufficient evidence of a valid and informed consent. According to the report, the controller must be in a position to present the complete consent declaration for each individual data subject. In cases involving electronically transmitted declarations, this requires storage and the permanent ability to produce a printable version. The report specifically identifies the double opt-in confirmation email as one workable approach to documentation, noting that digital signatures such as DKIM can verify authenticity.

This matters practically. Many online sweepstake operations in Europe function through a chain of parties - an organizer, often based outside Germany, intermediary data brokers whose business model is customer acquisition, and end advertisers who receive the data. All parties in that chain that process the data bear responsibility for demonstrating valid consent under Article 7 of the GDPR. According to the report, the burden of proof rests with each controller. In several cases reviewed by the BayLDA, the data subject was able to show credibly that they could not have provided the supposed consent at the time and location indicated - for example, because they were abroad when the IP address timestamp was recorded.

The report notes that the BayLDA demands formal consent documentation particularly when it observes a clustering of complaints against a single controller. The Hessian authority's related enforcement on unsolicited email marketing and France's draft guidance on email tracking pixels reflect a consistent direction across European supervisors: the burden of demonstrating valid consent for marketing contact is increasing, not diminishing.

Political advertising: a new supervisory responsibility

The EU Regulation on the Transparency and Targeting of Political Advertising (TTPW-VO, Regulation EU 2024/900) entered into force on March 13, 2024, and became binding across the EU from October 10, 2025. The BayLDA received new supervisory responsibilities under two new legal acts in 2025. One is the Data Act, in force from September 12, 2025. The other is the TTPW-VO.

Under the regulation, BayLDA is responsible for supervising the data protection requirements for political advertising targeting and transparency. This covers monitoring of targeting and placement techniques for political advertisements under Article 18 of the regulation, and the transparency obligations attached to each political ad under Article 19. The regulation defines political advertising broadly: paid messages designed or suited to influence political processes, including elections. The use of personal data for targeting or placement in this context requires explicit consent from the data subject. Data collected directly from the individual is required. Special categories of personal data - political opinions, religious beliefs, ethnic origin - are barred from use in political advertising targeting without exception.

The report notes that the first complaints explicitly referencing the TTPW-VO arrived in 2025, and that the authority expected complaint volumes to increase in the first quarter of 2026 as Bavarian local elections approached. None of the complaints concluded by year-end resulted in findings of violations, although some proceedings remained open. The national implementing legislation, the Politische Werbung Transparenz Gesetz, had not been passed at the time the report was finalized.

Google withdrew from EU political advertising before the regulation took effect, citing operational complexity. Meta followed in July 2025. The BayLDA's new supervisory mandate - covering targeting and transparency for the political ads that do continue to be served across EU platforms - means this area will likely generate both enforcement activity and guidance as the 2026 election cycle progresses.

The Data Act and its interaction with the GDPR

The Data Act, which establishes harmonized rules for fair access to and use of data from connected products and associated services, became applicable in relevant parts from September 12, 2025. The BayLDA received its first advisory inquiries from businesses and trade associations before that date. The core practical question in those inquiries was how to distinguish personal data from non-personal or purely technical data within a Data Act access scenario, and what legal basis under the GDPR would be required if personal data was involved in a data transfer triggered by a Data Act access request.

According to the report, the Data Act does not create its own independent legal basis for processing personal data. Where personal data is involved, the GDPR continues to apply in full, and any transfer or processing requires an applicable ground under Article 6. The BayLDA notes that it will remain responsible for supervising the data protection dimensions of Data Act compliance in Bavaria for now, though federal legislation (a draft was submitted to the Bundestag on December 1, 2025, under reference BT-Drs. 21/2998) would transfer those responsibilities to the Bundesnetzagentur and the federal data protection commissioner. If that transfer proceeds, BayLDA intends to maintain close coordination with the designated authorities to ensure consistent answers on questions such as whether a given data element is personal in nature.

TikTok, cross-border transfers, and what the Irish decision means for advertisers

The report devotes a full section to the April 30, 2025 decision by the Irish Data Protection Commission against TikTok, which resulted in a fine of 485 million euros for violations of Article 46 of the GDPR and an additional 45 million euros for transparency failures under Article 13. The cooperative procedure under Articles 60 and following of the GDPR involved German data protection authorities including BayLDA.

The case concerned transfers of data from European users to China via remote access by employees of TikTok group entities based in that country, operating on data stored in Singapore and the United States. The period under investigation ran from July 29, 2020 to May 17, 2023. TikTok relied on Standard Contractual Clauses as the transfer mechanism under Article 46. The Irish authority's position, confirmed through the cooperative process, was that TikTok had not demonstrated through its own transfer impact assessment that Chinese law's reach over data accessed remotely in China was compatible with the EU protection standard.

According to the BayLDA report, the key legal principle affirmed is that remote access constitutes a data transfer under Chapter V of the GDPR. The burden of demonstrating an equivalent level of protection rests with the data exporter. Where material doubts remain about the reach of third-country law over the data in question, those doubts weigh against the exporter. TikTok has challenged the decision before the Irish High Court, which in November 2025 allowed the company to continue data flows during the appeal. A new DPC inquiry into TikTok data storage in China opened in July 2025 following the company's April 2025 disclosure that limited European user data had been found on Chinese servers.

For marketing technology platforms and their advertising clients operating across jurisdictions, the BayLDA's framing carries practical implications. Any cross-border processing arrangement relying on Standard Contractual Clauses requires a documented, substantive transfer impact assessment - not merely a contractual formality. Where doubt about third-country access remains unresolved after that assessment, the data exporter carries the risk.

Staffing constraints and the federal reform debate

The BayLDA had 43 approved positions at the end of 2025, up from 38 the year before through the 2024/25 double budget. Nine of ten newly created positions were filled or awarded by year-end. For the first time since 2020, the authority has secured internal coverage across all departments. The draft 2026/27 double budget, not yet approved at time of writing, contains no further staff increases despite the workload trajectory.

The report also documents the 2025 debate over restructuring data protection supervision between federal and state levels. Following a meeting between the Federal Chancellor and state leaders on December 4, 2025, it is expected that the federal government will reform private-sector data protection supervision in coordination with the Lander by December 31, 2027. BayLDA states that it intends to use 2026 to document the advantages of federal supervision. The authority's own chairmanship of the German data protection conference is scheduled for 2027, coinciding with the supervisory structure's 25th anniversary.

Cybersecurity, ransomware, and the 3,603 breach notifications

The 23 percent increase in breach notifications to 3,603 reflects a threat landscape that the report describes as persistently active. The authority received 524 ransomware notifications in 2025, continuing a multi-year trend. Double extortion - combining file encryption with threatened or actual publication of stolen data - is described as standard practice. The manufacturing sector, machinery suppliers, and IT service providers in Bavaria were disproportionately affected, with interconnected production systems and supply chain dependencies amplifying individual incidents.

Email account compromise generated approximately 400 notifications under Article 33. The report describes incidents where between 1,000 and 10,000 additional addresses - across other organizations - were targeted in follow-on campaigns using the compromised account. The authority notes that Microsoft 365 environments, as well as major services such as Gmail and T-Online, attract focused attack toolkits designed for credential harvesting at scale.

BayLDA launched what it describes as the Cyberfestung - cybersecurity fortress - initiative on January 29, 2025 at a dedicated event for businesses, political representatives, and trade associations. The framework applies a defense-in-depth approach to ten structural security themes, from access controls and configuration audits to logging and forensic readiness. A 24-page checklist was published alongside workshops. The authority estimates that up to 80 percent of successful cyberattacks could be prevented with known, implementable measures.

Why this matters for digital marketing

The BayLDA annual report is a state-level document, but its implications extend well beyond Bavaria. Its consent proof standards for direct marketing apply wherever German private-sector law governs the advertising relationship. Its analysis of the TTPW-VO applies EU-wide. The TikTok transfer ruling sets cross-border transfer precedent for any platform using Standard Contractual Clauses to move European data to a jurisdiction under surveillance law. And the AI-driven complaint inflation it documents is a structural shift that will affect every supervisory authority in Europe.

Marketers building consent infrastructure for email campaigns, retargeting programs, or political issue advertising need to understand that the documentation bar has shifted. IP addresses and timestamps are not sufficient. Full consent text, verified per individual, with cryptographic authentication where possible, is the emerging minimum. The broader EU consent framework is itself under revision through the Digital Omnibus, but that process is ongoing and any changes would not remove existing obligations retroactively.

At the same time, the report implicitly signals opportunity. The BayLDA repeatedly notes that compliance - genuine, documented, procedurally sound compliance - closes cases and avoids escalation. Organizations that invest in proper consent records, clear deletion pipelines, and transparent data transfer assessments are not just managing regulatory risk. They are building processing infrastructure that survives scrutiny at a moment when scrutiny has become substantially harder to avoid.

Timeline

  • March 9, 2010: Court of Justice of the European Union issues ruling in Case C-518/07 establishing data protection authorities as "guardians of fundamental rights."
  • January 1, 2018: Bavaria mandates smoke detectors in residential buildings (legal backdrop to BayLDA's 2025 guidance on smart smoke detectors with room monitoring).
  • May 25, 2018: GDPR becomes enforceable across EU member states.
  • February 10, 2011: German Federal Court of Justice issues ruling (I ZR 164/09) on consent documentation standards for direct marketing.
  • January 16, 2025: Privacy group noyb files complaints against Chinese tech firms including TikTok over data transfer practices.
  • January 28, 2025: German Federal Court of Justice issues ruling in Case VI ZR 109/23, clarifying GDPR compensation standards for marketing emails, covered by PPC Land.
  • January 29, 2025: BayLDA presents Cyberfestung initiative at Cybersecurity Day 2025.
  • April 30, 2025: Irish Data Protection Commission issues decision against TikTok, fining the company 530 million euros for data transfers to China.
  • May 2, 2025: Irish DPC decision published and reported widely; remote access ruling covered by PPC Land.
  • June 12, 2025: French data authority CNIL opens consultation on email tracking pixel rules.
  • June 16, 2025: Hessian DPA report published, with findings on abandoned cart emails and direct email marketing fines.
  • July 10, 2025: Irish DPC opens new inquiry into TikTok's China data storage.
  • July 14, 2025: Irish High Court grants TikTok permission to challenge the 530 million euro fine.
  • July 25, 2025: Meta announces withdrawal from EU political advertising; covered by PPC Land.
  • September 3, 2025: European General Court rules in T-553/Latombe case, confirming validity of EU-US Data Privacy Framework adequacy decision.
  • September 12, 2025: Data Act becomes applicable for relevant provisions.
  • October 10, 2025: EU Regulation 2024/900 on transparency and targeting of political advertising becomes binding.
  • November 13, 2025: Irish High Court allows TikTok to continue data transfers to China during appeal.
  • November 19, 2025: European Commission unveils Digital Omnibus package proposing sweeping GDPR changes.
  • November 26, 2025: EU GDPR Procedural Regulation finalized; published in the Official Journal on December 12, 2025; applicable from April 2, 2027.
  • December 1, 2025: German federal government submits Data Act implementing legislation to Bundestag (BT-Drs. 21/2998).
  • December 4, 2025: Federal Chancellor meets state leaders; agreement expected to reform private-sector data protection supervision by December 31, 2027.
  • March 2026: BayLDA publishes 15th Annual Activity Report covering 2025.

Summary

Who: The Bayerisches Landesamt fur Datenschutzaufsicht (BayLDA), Bavaria's data protection authority for the private sector, headed by President Michael Will, published this report. The document covers businesses, advertising platforms, data brokers, and individuals operating under German private-sector data protection law.

What: BayLDA's 15th annual activity report documents a record 9,746 complaints in 2025 - a 61 percent increase over 2024 - alongside 3,603 data breach notifications and a record low of 1,274 advisory requests. The report sets out the authority's enforcement positions on direct marketing consent documentation, political advertising targeting under the new EU regulation, Data Act implementation, the TikTok cross-border transfer ruling, ransomware, and AI-generated complaints. It also describes new supervisory responsibilities and ongoing resource constraints.

When: The report covers the calendar year 2025. It was submitted in March 2026 by President Michael Will. The new supervisory responsibilities under the Data Act and the political advertising regulation became applicable in September and October 2025 respectively. The GDPR Procedural Regulation, which will affect cross-border complaint processing, applies from April 2, 2027.

Where: The BayLDA supervises private-sector data processing in the state of Bavaria, Germany. Its office is at Promenade 18, 91522 Ansbach. As a member of the German data protection conference and a participating authority in EU cooperative proceedings, its enforcement positions and interpretations carry weight across German and European data protection practice.

Why: The surge in complaints reflects structural shifts - the spread of AI tools that lower the barrier to complaint filing, a growing use of data protection law as an instrument in civil disputes, and a genuinely expanding digital data economy. The report matters for marketers because it sets out enforceable positions on consent documentation for direct marketing, the supervisory framework for political advertising, the legal requirements for cross-border data transfers, and the conditions under which AI-generated submissions create procedural problems. The marketing community, and particularly those operating in programmatic advertising, direct email, or political digital campaigns across European markets, faces more intensive and better-resourced supervisory oversight than at any point since the GDPR became applicable.

Share this article
The link has been copied!