Newsletter data protection 06/2026

In its judgment of May 12, 2026, the Higher Regional Court of Hamm ruled that false statements made by an AI chatbot are attributable to the operator. The court accordingly ordered the operator to cease using certain specialist medical titles (Hamm Higher Regional Court, decision dated 12.05.2026 – Ref.: 4 UKI 3/25). The claimant was represented in the proceedings by Dr Christoph Rempe and Dr Carina Thull.

The defendant offers minimally invasive beauty treatments and has implemented an AI chatbot on its website to enable patients to book appointments and have their questions answered. According to the chatbot’s inaccurate responses, the doctors behind the defendant are “specialists in plastic and aesthetic surgery”, “specialists in aesthetic medicine” and “specialists in aesthetic treatments”.

The Higher Regional Court assessed the AI chatbot’s false statements as an unlawful commercial practice on the part of the operator under Section 5 (1) and (2) (3) of the Unfair Competition Act (UWG), as the operator has sufficient influence over the system. In the Court’s view, as the false information was capable of misleading users regarding the doctors’ professional qualifications, the specialist titles were also misleading. The AI chatbot was not a third party within the meaning of the UWG, meaning that the safety obligations under competition law could not be invoked. For the purposes of the assessment, it is irrelevant whether the operator programmed the AI chatbot exclusively with correct data sets. Consequently, AI-generated false outputs are attributable to the company itself, and the operator was ordered by the Higher Regional Court to cease the false statements and to pay warning costs amounting to € 260.

The decision is not yet final; an appeal to the BGH has been granted.

In a judgment of May 6, 2026, the Berlin Administrative Court ruled that the introduction of comprehensive ID checks and selective video surveillance in the entrance areas of certain swimming pools was compliant with data protection regulations due to the tense security situation (Berlin Administrative Court, decision dated 06.05.2026 – Ref.: VG 42 K 73/25; Press release of 06.05.2026).

In 2023, there were several security-related incidents at the summer swimming pools operated by the municipal “Berliner Bäder-Betriebe” – the claimant – such as verbal and physical attacks by bathers against one another or against staff, as well as threats. The incidents escalated to such an extent that the summer swimming pools had to be evacuated on three occasions. In response to this, the Berliner Bäder-Betriebe introduced a package of security measures – including ID checks and video surveillance – that very same summer. The security measures were deemed by the Berlin Data Protection Commissioner to be a breach of the GDPR, as they were neither suitable nor necessary for ensuring the safety of the swimming pools. A warning followed, against which the Berliner Bäder-Betriebe subsequently brought legal action.

In the Administrative Court’s view, the claimant’s assessment that the package of measures would be able to curb aggressive behaviour in the summer swimming pools was justified, a view confirmed by the significantly more relaxed security situation in the following summer of 2024. In the balancing of interests, the protection of life, health and freedom achieved through ID checks and video surveillance outweighs the minor interference with the right to informational self-determination, which is protected under data protection law. Furthermore, the identity checks are not documented and the video surveillance takes place without live monitoring and with a storage period of 72 hours, and is therefore proportionate. The fact that the effectiveness of the individual measures cannot be quantified in concrete terms is irrelevant.

On April 30, 2026, the Berlin Administrative Court dismissed a class action against the operator of the social network “X” as inadmissible, as the claims for damages asserted were not suitable for collective legal action (Berlin Administrative Court, decision dated 30.04.2026 – Ref.: 20 VKI 1/25; press release of 30.04.2026). 

The Dutch Foundation “Stichting Onderzoek Marktinformatie” (SOMI) brought an action for injunctive relief seeking at least € 750 in damages for each user registered in Germany, as well as an additional € 250 for each user specifically affected by a data breach. The operator of X was accused of collecting, combining and analysing user data without valid consent for the purpose of displaying personalised advertising, influencing users and creating comprehensive personality profiles.

Consumer associations can use an action for injunctive relief to assert claims from consumers that are essentially of a similar nature. Claims are considered to be of a similar nature if they essentially concern the same facts and the consumers’ claims depend on the same factual and legal issues.

The court rejected that the claims for damages asserted by SOMI were of a similar nature. A claim for damages under data protection law requires that the data subject has suffered damage as a result of a breach of the GDPR. However, whether and to what extent individual consumers have actually suffered damage – through loss of control or unauthorised access by third parties – is subject to an assessment on a case-by-case basis. The decision is not yet final.

The European Parliament and the Council of the European Union have adopted amendments to the AI Regulation proposed by the European Commission as part of the ‘Digital Omnibus’ (press release of 07.05.2026). The amendments concern the phased deadlines for the implementation of the AI Regulation, a ban on so-called nudifier apps, and the removal of double regulation. The amendments are to be adopted before August 2, 2026.

The provisions on high-risk AI systems must now be implemented by December 2, 2027. The implementation deadline for AI systems used as safety components and falling under sectoral EU legislation on safety and market surveillance is August 2, 2028. In addition, the labelling requirement for AI-generated content has also been postponed to December 2, 2026. The legislative bodies have thus agreed to an overall extension of the deadlines.

Another agreement reached by the European legislative bodies is the ban on AI systems that generate material involving child sexual abuse or depict the intimate parts of an identifiable person or such a person engaged in sexual acts without their consent. Companies also have until December 2, 2026 to comply with this amendment.

In future, the overlapping requirements for AI in machinery production are to be resolved by clarifying that only the sector-specific regulations – rather than both these and those of the AI Regulation – apply in this context, including the protective measures that ensure a comparable level of health and safety. Furthermore, the term ‘safety component’ is narrowed in that products with AI functions, that merely assist the user or optimise performance, are not automatically subject to the obligations of high-risk AI systems, provided that their failure or malfunction does not entail health or safety risks. The processing of personal data in AI systems should be permitted, provided that appropriate safeguards are applied and that this is strictly necessary for the detection and correction of bias. Furthermore, the exemptions for small and medium-sized enterprises (SMEs) are being extended.

Following a data protection incident in April 2025, the Berlin Commissioner for Data Protection and Information Security (BlnBDI) issued a warning to the Berlin Transport Authority (BVG) (press release dated 04.05.2026).

As early as April 17, 2025, the BVG was informed by a contracted service provider of a successful attack on its IT systems. The service provider had processed around 180,000 records of BVG customers for the purpose of sending letters and emails. At the time of the attack, the contract had already been completed and the customer data should no longer have been stored by the service provider. The BVG failed to check whether the data had been deleted by the service provider after the contract had ended. In the view of the BlnBDI, the first data protection breach lay in the breach of the duty of supervision, which arises from Article 5 (2) in conjunction with Article 5 (1) (c), (e) and (f) in conjunction with Article 32 (1), first sentence, of the GDPR.

It was not until April 30, 2025 – well after the 72-hour deadline had expired – that the BVG reported the data breach to the BlnBDI and notified the affected customers. The investigations were not initiated immediately after the first indication on April 17, 2025, partly due to a lack of organisational measures. Despite the delayed investigations, however, there were sufficient grounds for a reportable data breach by April 25,  2025 at the latest. 

Furthermore, no procedure for handling data protection incidents had been laid down in the data processing agreement with the service provider, which constitutes a breach of Article 28 (3) (f) of the GDPR.

Meike Kamp, Berlin’s Commissioner for Data Protection and Information Security, commented on the incident as follows: “Swift action is mandatory in the event of data protection incidents and serves to protect those affected. When companies outsource data processing via data processing agreements, this must not result in investigations or reporting processes being delayed.”

The Hessian Commissioner for Data Protection and Freedom of Information (HBDI) recently submitted its 54th Annual Report on Data Protection to the State Parliament (press release of 14.04.2026).

The report reveals a sharp rise in complaints regarding violations of the fundamental right to data protection over the past year, particularly in the areas of credit reference agencies and video surveillance. The number of known cyberattacks also rose by almost a third during the reporting period; these are increasingly targeting service providers working for businesses and public authorities and are becoming ever more sophisticated. Furthermore, businesses and public authorities are increasingly turning to the HBDI for advice in order to ensure greater legal certainty for themselves.

Furthermore, the HBDI reports on interesting cases relating to employee data protection, including a complaint regarding the intra-group transfer of an employee’s personal data on suspicion of insurance fraud. Although the GDPR does not recognise a so-called ‘large corporate privilege’, there may well be a legitimate interest under Article 6 (1) (f) of the GDPR in the transfer of data within a group – as is the case with protection against disloyal employees and the prevention of fraud. Furthermore, insurance law obligations under Section 30 (1) of the Insurance Supervision Act (VAG) may legitimise data processing under Article 6 (1) (c) of the GDPR. Article 10 of the GDPR, however, covers only data relating to criminal convictions and offences, not data concerning the actions of potential offenders.

The HBDI’s involvement in developing guidance on Retrieval Augmented Generation (RAG) and the access to personal data by online ordering services for restaurants were also covered in the activity report.

On May 13, 2026, the Spanish Data Protection Authority (AEPD) imposed a fine of € 200,000 on the credit reference agency ASNEF-EQUIFAX for a breach of the right to erasure (press release of 13.05.2026).

Investigations by the AEPD following a complaint revealed that the credit reference agency continued to process personal data relating to a debt even after a final discharge of the debt had been granted. Although multiple requests for data deletion had been made and the discharge of residual debt had been entered in the public insolvency register, the credit reference agency made new data entries.

In the credit reference agency’s view, the requests for erasure should have been addressed to the creditor of the debt, as a provision in the joint liability agreement between the creditor and ASNEF-EQUIFAX imposes the decision on erasure requests on the creditor. As the creditor failed to act, the AEPD considered that the credit reference agency should have taken the necessary steps to verify the repayment in accordance with the principle of proactive responsibility under Article 24 of the GDPR. Decisions affecting fundamental rights, such as the right to erasure under Article 15 of the GDPR, cannot be delegated to the creditor. Data subjects may, pursuant to Article 26 (3) of the GDPR, contact any of the joint controllers independently of such agreements. The credit reference agency could also have suspended further entries until proof of the existence of the debt was provided.

On May 13, 2026, the AEPD imposed a fine of € 200,000 on the IT service provider PROYECTPS VISUALES ZARAGOZA SL for failing to implement basic security measures (press release dated 12.05.2026).

The IT service provider was acting as a data processor for a gym operator. Cybercriminals had stolen personal data from over 800,000 active and former customers of the gym operator and offered it for sale online – including dates of birth, DNI numbers and IBAN details. The attack was caused by an SQL injection vulnerability on the part of the data processor, as well as a lack of data encryption and thus a failure to implement basic security measures. As both measures were required under the data processing agreement concluded in accordance with Article 28 of the GDPR, the authority took the view that the IT service provider had no longer acted on the instructions of the gym operator in this data processing and was therefore responsible for the data protection breach.

The fine was originally set at € 500,000; the IT service provider’s admission of liability and timely payment were taken into account as mitigating factors.

On May 8, 2026, the Dutch Data Protection Authority (AP) imposed a fine of € 1 million on MLU B.V. – the operator of the Yango taxi app – because the company had stored data from customers and drivers on servers in Russia (press release of 08.05.2026). This was the finding of an investigation conducted in collaboration with the Norwegian and Finnish data protection authorities.

People in Norway and Finland can book taxi journeys via the Yango taxi app. The app operator, based in the Netherlands, transferred personal data of customers and taxi drivers – including sensitive data such as bank account numbers, photos of driving licences and social security numbers – to companies in Russia.

Where data is transferred to a third country – i.e. a country outside the European Union or the European Economic Area – an equivalent level of protection for personal data must be ensured. To this end, Articles 44 et seq. of the GDPR provide for various safeguards, which were not implemented by MLU B.V.

Aleid Wolfsen, Chair of the AP, commented as follows: “In Russia, personal data is not as well protected as it is in Europe. This means that the Russian government may be able to access this data. Therefore, the sensitive data of both customers and drivers should have been particularly well protected, especially given the lack of an independent data protection authority in Russia […].“