Newsletter data protection 05/2026

In its judgment of February 18, 2026, the Federal Court of Justice (BGH) ruled that, with regard to personal data in the commercial register that is not subject to mandatory registration (so-called non-mandatory data), there is a right to erasure under Article 17 GDPR (BGH, decision dated 18.02.2026 – Ref.: II ZB 2/25). 

The applicants – both managing directors within the structure of a GmbH & Co. KG – sought the replacement of documents held in the register’s file folder which contain personal data such as home addresses and signatures. Instead of this information, the new documents now contain the companies’ business addresses and ‘gez’ notes, including names in typewritten form. The reason for the requested replacement was the applicants’ fear of becoming victims of criminal offences. Records from the commercial registers are, in fact, accessible free of charge and have been accessed frequently since the Act Implementing the Digitalisation Directive (DiRUG) came into force. 

In its reasoning, the Federal Court of Justice (BGH) stated that the deletion of data could not be refused on the grounds that the home addresses and signatures also appear in documents filed in the register folders of other companies. Article 17 GDPR does not require that the relevant personal data be deleted from all storage sources. With the withdrawal of the applicants’ consent, the data processing is no longer lawful, as there is also no legal obligation to continue storing the home addresses and signatures. 

In its judgment of February 24, 2026, the BGH addressed the question of whether the right to information under Article 15 GDPR constitutes an ancillary right which, in the event of an assignment, passes to the new creditor by analogy with Section 401 of the German Civil Code (BGB). The BGH ruled that this was not the case (BGH, decision dated 24.02.2026 – Ref.: VI ZR 430/24).

The plaintiff was a company that purchases claims on a commercial basis in order to assert them in its own name. The defendant was a provider of private health and long-term care insurance, against whom the company asserted, in particular, claims for damages and reimbursement that had previously been assigned to it by several policyholders. The claimant alleged that the defendant had invalidly increased the insurance premiums on several occasions in the past. In addition to the claims for reimbursement and damages, the claimant also asserted a right to information under Article 15 GDPR.

The BGH had to deal only with the question of the existence of the right to information. It first established that the rights to information had not already been transferred on the basis of the assignment agreement between the insured persons and the company, as the wording of the agreement did not cover rights to information and data transfer. Nor had the rights to information been transferred by analogy with Section 401 of the German Civil Code (BGB). Under that provision, so-called ancillary rights are also transferred to the new creditor if they are necessary for the assertion or enforcement of a claim, or if their separation would jeopardise the enforcement of rights in accordance with the economic allocation of assets or otherwise endanger legal certainty. This did not apply to the claim under Article 15 GDPR. Rather, the right was created so that data subjects can become aware of the processing of their data and verify its lawfulness. The Federal Court of Justice left open the question of whether the right to information can be assigned at all.

In practice, it sometimes happens that policyholders or companies that have acquired their claims attempt to use the right to information to obtain details of premium adjustments in order to assert claims for reimbursement on that basis, for example where the premium adjustments were formally flawed. The BGH has also recently ruled on the question of the conditions under which information on premium adjustments qualifies as personal data. We reported on this in the February edition of our newsletter.

On April 23, 2026, the BGH heard a case on whether covert video recordings of a family member in a private home constitute a breach of the GDPR (press release of 5.2.2026). The decision is due to be handed down on September 17, 2026.

The claimant – a mother who lives with her daughter and her daughter’s husband – is challenging the covert making of video recordings in the shared kitchen. The video recordings, in which the claimant was recognisable, were sent by the daughter to the police and possibly also to her sister in order to investigate a possible theft of coins.

The Regional Court of Celle, as the court of first instance, had dismissed the claim on the grounds that the scope of the GDPR was excluded in relation to private homes pursuant to Article 2 (2) (c) GDPR. According to this provision, the Regulation does not apply to data processing carried out by natural persons in the course of purely personal or household activities. The BGH now questions this assessment, given that the video footage was recorded for the purpose of filing a criminal complaint. Furthermore, the concept of ‘household activities’ is not clearly defined. Special standards must be applied to the recipients of the video recordings; evidence obtained unlawfully may also be passed on to the police, and the sister, as a close family member, is not protected by the right to privacy. If the ground for exclusion under Article 2 (2) (c) GDPR is not applicable, notice of video surveillance would have to be provided even within private homes and consent obtained. The BGH will now decide whether to refer these questions of interpretation to the European Court of Justice.

In a judgment of April 2, 2026, the Düsseldorf Administrative Court ruled that transport encryption of emails containing non-sensitive personal data is sufficient (Düsseldorf Administrative Court, decision dated 2.4.2026 – Ref.: 29 K 7351/23). End-to-end encryption, on the other hand, is not required.

The claimant was involved in an accident with a bus driver. Due to risks to life and limb, a block has been ordered in the Federal Register of Residents to protect the claimant’s personal data from disclosure. The claimant therefore informed the bus company that all communication should be in writing and that the electronic processing of his data required extensive protective measures. In order to report the accident to the liability insurance company, the bus company sent two emails containing the claimant’s first name and surname.

In the Administrative Court’s view, the transmission of the claimant’s personal data can be justified on the basis of the bus company’s legitimate interest in reporting the name of the accident victim for the purpose of settling the claim arising from the accident, pursuant to Article 6 (1) (f) GDPR. In doing so, the controller must implement technical and organisational measures that ensure a level of protection appropriate to the risk – such as encryption. The risk is assessed on the basis of the likelihood of occurrence and the severity of harm to the data subject.

In the transport encryption of emails carried out by the defendant, a connection is established and encrypted between the email programme and the email server, meaning that the data exchanged is encrypted during transmission. However, the email is routed via nodes on the web and is therefore available in plain text to the email provider and at the nodes. In contrast, with end-to-end encryption, the email itself is encrypted.

The Administrative Court assessed the claimant’s first name and surname as non-sensitive data requiring no special protection. The name is freely accessible on the internet and is not made known solely through unauthorised access by third parties. In conjunction with the location of his company, the whereabouts of the data subject can also be readily determined. Nor did the block imposed on the register of residents result in a different assessment. Transport encryption was therefore sufficient for the personal data transmitted in this case.

On March 23, 2026, the LSG Lower Saxony-Bremen ruled that a policyholder has no right to inspect files relating to a whistleblower (LSG Lower Saxony-Bremen, decision dated 23.03.2026 – Ref.: L 16 KR 1/26). 

The claimant was on sick leave in 2018 and 2019 and received sickness benefit of over 17,000 euros from the defendant health insurance fund. In 2022, the health insurance fund received a tip-off that the claimant had been carrying out paid secondary employment during his period of incapacity for work. Following an investigation and a hearing with the policyholder, the defendant withdrew the sickness benefit authorisation and demanded reimbursement of the sickness benefit paid. The policyholder lodged an objection to this and requested access to the administrative file.

The Higher Social Court (LSG) found the findings of the lower court, the Social Court of Hanover, to be correct. There is no right to inspect files outside the administrative proceedings. In such cases, the decision to grant access to files is at the discretion of the authority – in this instance, the defendant health insurance fund. However, no allegations of an error of discretion were raised. The health insurance fund may receive information from the whistleblower anonymously without being obliged to provide information to the person concerned.

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published a joint opinion on March 18, 2026 on the proposal for a Cybersecurity Act 2 and amendments to the NIS 2 Directive. The opinion was prompted by a new cybersecurity package from the European Commission, which aims to enhance the EU’s performance and resilience in the face of cyber threats. In their joint opinion, the EDPB and the EDPS seek to facilitate the introduction of cybersecurity certifications and strengthen the role of the European Union Agency for Cybersecurity (ENISA) as a centre of information and expertise. In line with their Digital Omnibus, the authorities are calling for a single point of contact for reporting security and data protection incidents and for greater harmonisation of the various reporting obligations within the EU. 

An exemption had previously allowed messaging services to search chat histories to combat and report child abuse. The exemption was set to expire on April 3, 2026 and has not been extended, as negotiators from the EU Member States and the European Parliament were unable to reach a compromise (press release of 17.03.2026).

Originally, the European Commission had proposed mandatory checks and automatic scans. The EU Member States, however, wanted voluntary checks. Further votes in the European Parliament in March 2026 provided for a renewed extension of the exemption until August 3, 2026, as well as a restriction of chat monitoring to suspicious users, but these proposals could not be implemented. Birgit Sippel – Member of the European Parliament – is therefore calling for greater user awareness of “this online brutality” and expanded capabilities for law enforcement agencies.

On February 26, 2026, the Italian Data Protection Authority (GPDP) imposed a fine of € 31.8 million on the major bank Intesa Sanpaolo, as the technical and organisational measures implemented to protect its customers’ data were inadequate (press release of 30.03.2026). 

An investigation by the Italian Data Protection Authority revealed that an employee had access to the bank details of over 3,500 customers without valid reason. The queries carried out by the employee, which also concerned ‘high-risk customers’ such as individuals in public office, were not detected by the internal control system. 

On this basis, the authority found breaches of the principles of integrity and confidentiality of personal data, as well as a breach of accountability. Furthermore, the authority criticised the fact that the data breach notification was incomplete and late.

On March 25, 2026, the Romanian Data Protection Authority imposed a fine of € 125,000 on a subsidiary of Renault because the company had failed to implement adequate technical and organisational measures (press release of 25.03.2026).

Following a cyber attack on the company, personal data belonging to a large number of individuals was accessed without authorisation and disclosed by being published on a platform. 

In addition to the fact that the technical and organisational measures in place did not ensure an adequate level of security, the data protection authority also criticised the company for failing to have a procedure in place to regularly review and assess the effectiveness of the technical and organisational measures. Furthermore, the authority found that the company had engaged data processors who did not provide sufficient guarantees regarding the implementation of technical and organisational measures.