34th BfDI Activity Report: Complaints Up 36%, 129 Supervisory Measures in 2025

In parliamentary session week 19 / 2026, Germany's Federal Commissioner for Data Protection and Freedom of Information (BfDI) handed her 34th Activity Report for the 2025 reporting year to the Bundestag. The numbers are unambiguous: data protection enforcement is becoming more active at a pace many companies have not yet absorbed. [1]

The figures in the report

• 11,824 submissions in 2025 — +36 % year over year and +52 % versus 2023. The complaint volume has more than doubled within two years.
• 80 on-site inspections, 40 written inspections, 129 supervisory measures overall.
• €45 million in fines in two proceedings against Vodafone GmbH for inadequate oversight of partner agencies and security gaps.

The report shows one thing above all: the era when data protection authorities mainly advised is over. Complaints no longer end up in a drawer, inspections are pursued more consistently, fines arrive faster. [2]

What this means for the GB Psych

In 2026, the psychological risk assessment runs into a two-track inspection front: the labour authority is legally bound by the Occupational Safety Inspection Act with its 5 % minimum quota. The data protection authority is, as the BfDI report shows, working more actively against significantly higher complaint volumes.

Concretely: companies running a self-built risk assessment — via Excel, Google Forms, Microsoft Forms, SharePoint or in-house tools — process health data under Art. 9 GDPR without the architectural separation that processing on behalf of a controller enforces. A single complaint by an employee to the state data protection authority is enough to trigger an inspection. And the probability of that has just risen substantially.

Going deeper

For the parallel fine stack ArbSchG + GDPR + BDSG: GB Psych Self-Survey — Why Two Authorities May Inspect in Parallel. And the full source pillar with DPIA checklist: Data Protection and the GB Psych in Self-Survey.