Newsletter data protection

Dear readers,

Every year brings with it various developments and challenges in data protection law. Traditionally, we summarize the data protection events of the past year in the January issue of our newsletter. In the main topic of this year's first issue, we therefore look back at the year 2024 in terms of data protection law as usual and venture a look ahead to the new year 2025.

As usual, we are happy to keep you informed about the latest developments in data protection law in the new year. In the current issue, we report on the ECJ's decision on the exceptions to the information obligation under Art. 14 (5) GDPR, the decision of the Austrian Federal Administrative Court on the use of Google reCAPTCHA, the DSK's guidance for providers of digital services, the HmbBfDI's fine of 900,000 euros, and further decisions by the supervisory authorities in France and Finland.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Review of 2024 and outlook for 2025

Data protection law in 2024 was characterized by various decisions by authorities and courts on the interpretation and application of the provisions of the GDPR. Questions regarding the scope of possible claims for damages under Art. 82 GDPR and the scope of the right of access under Art. 15 GDPR have taken up a lot of space. In addition, the legal classification of various user tracking technologies and the permissibility of data processing for advertising purposes continued to be discussed intensively. The new AI Regulation, which is also relevant to the processing of personal data, came into force in July 2024. The new regulation takes a risk-based approach and specifies, among other things, the requirements that providers, operators, retailers, and users of AI systems must comply with.

On May 24, 2024, our BRANDI-Data Protection Law Day took place for the fifth time. Guests at BRANDI were Dr. Thilo Weichert, the former head of the data protection supervisory authority in Schleswig-Holstein (ULD), and Prof. Dr. Eckhard Koch, the Vice President for Research, Development and Transfer at the FHDW Paderborn. We exchanged views with Dr. Weichert and Prof. Dr. Koch on various issues relating to “Security begins with data protection”. In discussions with lawyers from BRANDI, the guest speakers provided fascinating insights into various data protection issues, current proceedings by the supervisory authorities, and their day-to-day work.

We have taken the turn of the year as an opportunity to review the main topics and particularly relevant developments and events of the past year in our traditional annual review. We also venture an outlook for the new year and the developments to be expected in 2025.

To the complete main topic

Save the Date: BRANDI-Data Protection Law Day 2025

We cordially invite you to our sixth BRANDI-Data Protection Law Day on May 16, 2025. This year's event will take place in Herford. In addition, there will again be the opportunity to participate passively online in our Data Protection Law Day.

Since the GDPR came into force, some data protection issues in connection with the application of the GDPR have been fully or at least partially clarified. Other questions and problems continue to arise or are even completely new.

We have once again been able to attract a renowned expert for the event. This year, we will be discussing with Prof. Ulrich Kelber, former Federal Commissioner for Data Protection and Freedom of Information (BfDI), among others.

You can already look forward to interesting presentations and exciting discussions. We will inform you about the details of the event and how to register in due course on our homepage and in our data protection newsletter.

EKD Synod evaluates data protection law

On November 14, 2024, the Synod of the Evangelical Church in Germany (EKD) evaluated the EKD Data Protection Act (DSG-EKD) and adopted amendments and adjustments that will come into force on May 1, 2025 (communication of 14.11.2024). The EKD has its own data protection law, which came into force six years ago and is based on the General Data Protection Regulation. In particular, various clauses in the context of data processing and regulations on member communication have been adapted. The “submission clause” for non-church processors under church data protection law, which was criticized in the past, has been deleted. In addition, the amended DSG-EKD now opens up the possibility of procuring software centrally and using it in the member churches without the need for additional internal data protection agreements.

(Christina Prowald)

ECJ on the exceptions to the information obligation under Art. 14 (5) GDPR

In its decision of November 28, 2024, the ECJ dealt with the exceptions to the information obligation under Art. 14 (5) GDPR (ECJ, decision dated 28.11.2024 - Ref. C-169/23).

In the case underlying the decision, the competent Hungarian authority had issued an immunity certificate attesting to vaccination against Covid-19. The personal data used for this had been created by the authority in a separate procedure. The data subject subsequently complained to the supervisory authority and argued that he had not been properly informed by the authority in accordance with Art. 14 (1) GDPR. However, the authority was of the opinion that it was exempt from the information obligation under Art. 14 (5) (c) GDPR. The Hungarian court subsequently seized stated that the exemption under Art. 14 (5) GDPR did not apply, as some of the data used had not been obtained from another body, but had been generated by the authority itself in the course of fulfilling its tasks, which the authority in turn objected to.

The ECJ has now ruled that Art. 14 (5) (c) GDPR must be interpreted in such a way that the envisaged exception to the obligation to provide information applies indiscriminately to all personal data that the controller has not collected directly from the data subject. This applies regardless of whether the controller has obtained it from another body or generated it itself. In its reasoning, the court states that the wording of the provision does not exclude data generated in the course of the performance of tasks that is based on data provided by third parties. Due to the division of Art. 13 and 14 GDPR into two parts, all data that is not covered by Art. 13 GDPR should in principle fall within the scope of Art. 14 GDPR, meaning that the data in question would also be covered. Furthermore, the ECJ ruled that the supervisory authority may examine, in the context of a complaint procedure, whether the law of the Member State to which the controller is subject provides for appropriate measures to protect the legitimate interests of the data subjects for the purposes of applying the exception provided for in Art. 14 (5) (c) GDPR. However, this examination does not concern the suitability of the measures that the controller is obliged to implement in accordance with Art. 32 GDPR in order to ensure the security of the processing.

(Christina Prowald)

Austrian Federal Administrative Court on the use of Google reCAPTCHA

On September 13, 2024, the Austrian Federal Administrative Court ruled that the Google reCAPTCHA service may only be used with the prior express consent of the user (BVerwG Austria, decision dated 13.09.2024 - Ref. W298 2274626-1/8E).

The court stated that cookies are set in connection with the use of Google reCAPTCHA, which enable website operators to distinguish between website visitors. In principle, consent is required for the use of such cookies. However, such consent was not obtained in the present case. The data processing could also not be based on legitimate interests of the website operator within the meaning of Art. 6 (1) (1) (f) GDPR. In the opinion of the Senate, cookies that are set by the Google service reCAPTCHA are not necessary for the operation of a website, even if the prevention of bot entries is in principle advantageous for the website operator. The implementation of the service was not technically necessary as it had no influence on the functionality of the website. As a result, there was no legitimate interest, which is why, in the court's view, consent to the use of the service would have been required. In principle, however, it remains possible to base corresponding CAPTCHA services on a legitimate interest alone, as long as no other data processing activities take place in this context (as with Google reCAPTCHA).

(Christina Prowald)

LG Duisburg on the limitation period for claims for damages under data protection law

On October 7, 2024, the Duisburg Regional Court ruled that claims for damages under Art. 82 (1) GDPR are subject to the general limitation period of Sections 195, 199 (1) BGB (LG Duisburg, decision dated 07.10.2024 - Ref. 2 O 31/24; GRUR-RS 2024, 31634).

In the case underlying the decision, the plaintiff had concluded a mobile phone contract with the defendant telecommunications provider Vodafone in 2020, which contained a clause according to which the customer's personal data was passed on to a credit agency by default for the purpose of carrying out credit checks. In addition, the plaintiff received a data protection information sheet, which also referred to the data transfer. After the plaintiff received a copy of the data stored by the credit agency at the end of 2023, in which the positive data transmitted in the context of the mobile phone contract appeared, she demanded compensation of 4,000 euros from the defendant at the beginning of 2024.

The court dismissed the claim, as any claims for damages were already time-barred on December 31, 2023. The plaintiff had already obtained or should have obtained knowledge of the circumstances giving rise to the claim and the identity of the debtor when the contract was concluded. The defendant had expressly referred to the data transfer in the concluded contract and the attached data protection information. In addition, apart from the question of the statute of limitations, there is no claim for damages under Art. 82 (1) GDPR, as there is already no violation of the GDPR and no damage.

(Christina Prowald)

The limitation period for the right of access

On November 22, 2024, the Chemnitz District Court ruled that the right of access under Art. 15 (1) GDPR is not subject to a limitation period and remains in place as an independent primary claim even if personal data is not processed (AG Chemnitz, decision dated 22.11.2024 - Ref. 16 C 1063/24; GRUR-RS 2024, 33206). European law does not provide for a limitation period for the claim under Art. 15 GDPR. The claim could also not be time-barred by its very nature, as it has no preconditions for arising, but can be asserted at any time without preconditions. This also applies if no personal data has been processed at all, as there is at least a right to negative information in this case.

In the opinion of the Hamburg Higher Labor Court, however, data protection claims such as the right of access under Art. 15 GDPR can be covered by preclusive periods in employment contracts and thus excluded (LAG Hamburg, decision dated 11.06.2024 - Ref. 3 SLa 2/24). The GDPR itself does not contain any provisions on the disposability of data subjects' rights. In such a case, the ECJ has ruled that it is up to the Member States to design the procedural modalities that guarantee the protection of the rights of individuals under Union law. Only the principles of equivalence and effectiveness need to be taken into account in the design. Contractual limitation periods are compatible with these principles, which is why data protection claims may be subject to them. The proceedings are currently pending before the Federal Labor Court.

(Christina Prowald)

ArbG Duisburg: 10,000 euros in damages due to publication of health data

The Duisburg Labor Court has awarded an employee a claim for damages in the amount of 10,000 euros against his employer because the latter published the employee's health data in an email without authorization (ArbG Duisburg, decision dated 26.09.2024 - Ref. 3 Ca 77/24).

The court found violations of Art. 5 (1) (a) GDPR, Art. 6 (1), and Art. 9 (1) GDPR, as there was no legal basis for the publication and disclosure of the information about the plaintiff's ongoing illness. In addition, there was also non-material damage. This was due to the fact that almost 10,000 recipients of the email sent became aware of the plaintiff's illness, the duration of the illness, and the alleged faking of the illness and that the plaintiff was even approached about the events in his free time. As a result, his reputation had been damaged and his reputation weakened. Against this background, the court considered compensation of 10,000 euros to be appropriate.

(Christina Prowald)

VG Düsseldorf on measures against a data protection breach

In its judgment of November 11, 2024, the Düsseldorf Administrative Court ruled that the taking of remedial measures pursuant to Art. 58 (2) GDPR is excluded if a controller for the data protection breach cannot be identified (VG Düsseldorf, decision dated 11.11.2024 - Ref. 29 K 4853/22). However, the supervisory authority has a fundamental duty to investigate the facts of the case and to clarify all circumstances necessary to investigate and verify the breach. This also includes clarifying who committed the data protection breach.

In criminal proceedings against the plaintiff, a former civilian employee of the police and secret services, court files were passed on to the media, which led to various press reports. As a result, the plaintiff demanded that the state data protection authority take measures against the incident and prevent the disclosure of his data in the future. However, the supervisory authority discontinued the proceedings as it was unable to identify anyone responsible for the breach despite various inquiries to the public prosecutor's office and the court involved.

The VG ruled that the plaintiff had no claim against the defendant to take action. It stated that supervisory authorities are obliged to deal with the complaints they receive and to investigate them to an appropriate extent. If a breach is identified, the supervisory authority must also respond appropriately in order to remedy the breach. The specific measures to be taken are at the discretion of the authority. However, the court then found that although the transfer of the court files may constitute unlawful data processing, the plaintiff was not entitled to the adoption of supervisory measures, as the controller responsible for the breach of the protection of his personal data could not be identified with reasonable effort and was therefore not known.

(Christina Prowald)

DSK: Guidance for providers of digital services

In November 2024, the Data Protection Conference (DSK), the association of independent federal and state data protection supervisory authorities, published an updated version of the guidance for providers of digital services.

The guidance deals in detail with the scope of application of Section 25 TDDDG, the requirements for the user's consent required for the use of cookies and similar technologies and the exceptions to the need for consent. It also addresses the lawfulness of the processing and the relevant legal bases of Art. 6 GDPR as well as the rights of data subjects under Art. 13, 15 and 17 GDPR (right to information, right of access and right to erasure). The guidance also contains a summary of the requirements to be complied with when designing a cookie banner. The new guidance supplements the information in the guidance for telemedia providers published in a revised version in December 2021.

(Christina Prowald)

HBDI takes action against Deutsche Bahn

Deutsche Bahn has changed its conditions for purchasing saver price tickets for the timetable change on December 15, 2024. Customers no longer need to provide an e-mail address or mobile phone number to purchase a ticket (notification of 09.12.2024).

The background to the changes is a supervisory procedure by the Hessian Commissioner for Data Protection and Freedom of Information (HBDI), which was prompted by numerous complaints from customers. Customers criticized the fact that it was only possible to purchase discounted tickets by providing an email address or mobile phone number, even at the ticket counter, and that customers without an internet connection or smartphone were excluded from purchasing discounted tickets. HBDI Prof. Dr. Alexander Roßnagel commented on the changes as follows: “We welcome the fact that the data protection conflict has been resolved in a constructive manner.”

(Christina Prowald)

HmbBfDI: Fine of 900,000 euros imposed

In November 2024, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) imposed a fine of 900,000 euros on a Hamburg-based service provider from the receivables management industry for storing personal data for up to five years without a legal basis, even though the deletion periods had expired (notification of 12.11.2024).

The breach had come to light independently of a complaint as part of a priority audit. The HmbBfDI had examined how debtors' data was processed and stored by the respective service providers. As part of the audit, the companies received questionnaires and were also asked to submit various data protection documents, such as the list of processing activities and the overview of technical and organizational measures. Some of the companies were also visited on site by the employees of the supervisory authority.

During a review, the HmbBfDI found that the company had stored a six-digit number of data records without a corresponding legal basis and was therefore in breach of Art. 5 (1) (a) and 6 (1) GDPR. The company acknowledged the breach and accepted the fine. The company's cooperation with the supervisory authority was taken into account when calculating the fine. A second case against another audited company is still ongoing.

HmbBfDI Thomas Fuchs commented on the matter as follows: “When the customer relationship ends, the data collected must be deleted immediately or after specified periods. Companies should therefore take stock of what data is collected and how long it may be stored before they collect it. It is unacceptable if companies working in data-driven digital industries have not developed a coherent deletion concept.”

(Christina Prowald)

France: No “dark patterns“

In response to numerous complaints, the French supervisory authority (CNIL) formally requested several website publishers on December 12, 2024 not to use so-called “dark patterns” and to change their cookie banners classified as misleading in this respect within one month (communication of 12.12.2024).

The complainants had argued that the cookie banners were designed in such a way that they misled users into giving their consent. The CNIL stated that, although the law does not stipulate a specific way of presenting choices on the cookie banner, those responsible for the website must choose a design that does not mislead the data subjects. It must be just as easy for the user to reject cookies as to accept them. The information provided via the cookie banner must also be clear and complete and inform the user about the purpose of the data processing and the means of rejecting cookies.

The CNIL subsequently called on companies to modify their cookie banners in such a way that the options to accept and reject cookies are equally important and that users are not misled into giving their consent by the design of the cookie banner. This means that the opt-out option may not be presented in the form of a clickable link that takes a back seat to the opt-in option, the opt-out option may not be embedded in the information in such a way that it is not easily recognizable, the opt-out option may not be placed in such a way that it cannot be distinguished from the other information and the opt-out option may not be presented only once and in a non-explicit form, while the opt-in option is presented several times in the banner.

(Christina Prowald)

Finland: Fine of 2.4 million euros imposed on Posti

On November 13, 2024, the Finnish supervisory authority imposed a fine of 2.4 million euros on the company Posti (notification of 06.12.2024). The supervisory authority had previously investigated the processing of personal data in connection with the creation of an electronic mailbox at Posti after receiving various complaints from users.

The company had automatically set up electronic mailboxes for customers who used other company services, which in turn were linked to the other services, without a separate application. The customers themselves could not choose whether they wanted to use the electronic mailbox or not, as all services were linked together in one contract. In this respect, it was also not possible for customers to give up the mailbox without also losing the other services.

The supervisory authority was of the opinion that the other services requested by the customer could have been provided without automatically setting up an electronic mailbox. In addition, the customers had not been clearly informed about setting up the mailbox and the technical settings of the mailbox did not comply with data protection regulations. As a result, the Finnish supervisory authority found violations of Art. 5 and 6 GDPR (principles of data processing and lawfulness of processing), Art. 13 GDPR (information obligations), and Art. 25 GDPR (data protection by design and by default).

(Christina Prowald)