Digital integrity as a (new) fundamental right: status in Germany and the EU in 2025

Brief overview: “Digital integrity” refers to the protection of personality in networked systems – beyond the body and mind, in relation to data, devices, accounts and digital life circumstances. In Germany, there is no explicit fundamental right with this name. Nevertheless, constitutional and EU law guarantees already safeguard key elements. This results in specific compliance obligations for companies and platform operators.

Constitutional starting point in Germany

The anchor is the general right of personality from Art. 2 para. 1 i. in conjunction with Art. 1 para. 1 GG . In 2008, the Federal Constitutional Court developed this further to guarantee the confidentiality and integrity of information technology systems (so-called “IT fundamental right”). This refers to an area of protection that covers not only individual data, but the entire IT system if a comprehensive personal image could be reconstructed from its use. A digital sphere of personality is thus recognized, which binds intervention measures to strict conditions.

This is supplemented by informational self-determination (census case law) and the state’s duty to protect: private security deficits that lead to massive personality impairments can also trigger state response and guarantee obligations. However, there is not (yet) an explicit “fundamental right to digital integrity” in the wording of the German Basic Law; the matter is currently covered by interpretation and specialist law.

European level: Charter of Fundamental Rights, DSA & AI Act

At Union level, Art. 7 CFR (respect for private and family life) and Art. 8 CFR (protection of personal data) safeguard digital privacy. The GDPR specifies this in Art. 5 (data minimization, integrity and confidentiality) and Art. 25 (privacy by design/default). In addition, the EU has codified “Digital Rights and Principles” as political guidelines since 2022; they are aimed at a human-centered, secure and sustainable digital order.

Two regimes are of particular operational relevance:

• Digital Services Act (DSA): addresses due diligence obligations of intermediary services/platforms, including risk management, reporting and redress channels, protection of minors, transparency of recommendation systems. This provides legal protection for the digital sphere of action and communication – including vis-à-vis private gatekeepers.
• AI Act (applicable since 2025 with staggered transition periods): risk-based requirements for AI systems, from transparency obligations to bans on certain practices (e.g. real-time biometric remote identification outside narrow exceptions). For companies, a governance framework is being created that practically protects the digital integrity of natural persons.

The result: An independent EU “fundamental right to digital integrity” does not exist, but the combination of the CFR, GDPR, DSA and AI Act sets material protection standards that come close to a functional protection of fundamental rights.

Reform debates and impetus from abroad

The idea of an explicit “Digital Fundamental Rights Charter” has been under discussion for years. Civil society drafts and academic proposals outline formulation options and adapt traditional protected rights to the reality of the internet and platforms. In Germany, practical development is currently focused on specialized law (e.g. platform and security law) and the further development of personality rights under judicial law.

It is interesting to take a look at Switzerland: cantonal constitutions have recently included the right to digital integrity. The term used there is normatively aimed at an independent protection status for digital spheres. This provides argumentation material for the German discourse, but does not replace the dogma of fundamental rights that applies here. An amendment to the Basic Law would be politically possible, but will have to be weighed up in terms of legal policy in view of the functioning doctrine of fundamental rights and the support provided by EU law.

Practice: Compliance roadmap for companies and platforms

Regardless of an explicit fundamental rights formula, digital integrity is already a compliance issue today. An integrated roadmap is recommended:

1. Define assets to be protected: Personal data, communication content, account integrity, device and session security, identity and reputation protection. Mapping to Art. 5, 25 GDPR.
2. Technology & processes: Encryption at rest/transit, hardening of endpoints, secrets management, zero-trust architecture, role-based access, secure default settings (“privacy by default”), logging with strict purpose limitation.
3. Check DSA obligations (for intermediary services): Reporting channels, notice-and-action processes, complaints and internal re-review mechanism, protection of minors, transparency reports, recommender controls; extended obligations for very large platforms if necessary.
4. AI act readiness: system inventory, risk classification (prohibited/high/limited/minimal), compliance and documentation processes, data and model governance, human oversight. Contractual enforcement against providers and integrators.
5. Data protection impact assessments (DPIA): for risky processing operations; clear remedial concepts, operationalize data subject rights, incident response with reporting chains.
6. Supply chain & contracts: TOM facilities, audit/sub-processor chains, AI use and training clauses, export controls for models/parameters, security SLAs, exit and data portability.
7. Product and market risk assessment: combine abuse-prone features (e.g. deepfake functions) with abuse prevention (watermarks/provenance, rate limits, abuse detection).
8. Documentation & accountability: Proof of the measures taken (accountability), regular management reviews, training and pen tests.

Conclusion: Even without an expressly standardized constitutional title, digital integrity is already addressed in a legally binding manner – under constitutional law via the right of personality and under EU law via the GDPR, DSA and AI Act. In practice, it is less the fraudulent labeling that counts than the complete implementation of specific protection and due diligence obligations.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.