Newsletter data protection
Our BRANDI-Data Protection Law Day will take place on May 16, 2025. In keeping with tradition, we would like to invite you to attend now!
This year's event will take place in Herford on the premises of Marta. In addition, there will also be the opportunity to participate passively online in our Data Protection Law Day this year.
We were once again able to attract a renowned expert for the event. This year, we will be discussing with Prof. Ulrich Kelber, former Federal Commissioner for Data Protection and Freedom of Information (BfDI), among others.
You already have the opportunity to register for the event using our registration form. You can find the registration form under the following link: Data Protection Law Day 2025. We will inform you about further details and the content of the event as soon as possible.
For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.
Dr. Sebastian Meyer and the BRANDI data protection team
Topic of the month: When is a request for information abusive?
The constitutional right to informational self-determination means that data subjects can generally decide for themselves which of their personal data may be processed by which bodies and for which purposes. In order to make use of this right, it is necessary for the data subjects to know what exactly happens to their data. Based on this approach, the General Data Protection Regulation (GDPR) provides for various information obligations for data processors such as companies as well as extensive rights for persons affected by the processing of personal data. One of the central rights of data subjects under the GDPR concept is the right of access, which is enshrined in Art. 15 GDPR.
ECJ on the data required to purchase a rail ticket
On January 9, 2025, the ECJ ruled that the customer's gender identity is not necessary information for the purchase of a ticket (ECJ, decision dated 09.01.2025 - Ref. C-394/23). The collection of data to address the customer is not objectively indispensable, especially if it is merely aimed at personalizing business communication.
When purchasing tickets online from the French railroad company SNCF Connect, customers are obliged to state their title (“Mr.” or “Mrs.”). This practice was objected to by the Mousse association. However, the complaint lodged with the French supervisory authority (CNIL) was unsuccessful, as it was of the opinion that the request for the form of address did not constitute a breach of the GDPR. This led to a legal dispute between the parties involved, which ultimately resulted in a request for information from the ECJ.
The ECJ has now ruled that the collection of customer salutation data, which merely aims to personalize business communication, does not appear to be objectively indispensable or essential for the proper performance of a contract and therefore cannot be considered necessary for the performance of the contract. An inaccurate form of address has no effect on the provision of transport services, which is why the form of address is not objectively indispensable for the performance of the main subject matter of the contract. In this respect, the company in question could just as well opt for communication based on general and inclusive courtesy formulas that are unrelated to the gender identity of the customer.
Nor can the processing be considered necessary to safeguard legitimate interests from the court's point of view if the customers were not informed of the interest pursued or the processing is not within the limits of what is strictly necessary or the interests of the customers prevail, in particular due to the risk of discrimination. In the present case, it is for the referring court to verify whether the aforementioned conditions are met. However, the ECJ could provide the following guidance in this regard. The national court must first verify whether the data subjects were provided with all the necessary data, in particular the legitimate interest pursued, when their data was collected. It should also be noted that the personalization of commercial direct advertising can, as a rule and subject to review, be limited to the processing of surname and first name, as an additional form of address does not appear to be absolutely necessary. When weighing up the interests of the data subject and the controller, the reasonable expectations of the data subject, the scope of the processing in question and the impact on the individual must also be taken into account. In particular, the court must also examine whether there is a risk of discrimination based on gender identity.
Irrespective of the specific case, the ECJ's statements already show that when requesting customer data, it must always be checked very carefully whether the customer data requested is really limited to what is necessary and whether all other information is requested on a voluntary basis wherever possible.
(Christina Prowald)
ECJ: Apology as compensation for damage
In its decision of October 4, 2024, the ECJ once again had to deal with questions regarding the claim for damages under Art. 82 (1) GDPR, in particular the question of whether non-material damage can also be compensated by an apology from the controller (ECJ, decision dated 04.10.2024 - Ref. C-507/23).
In the original dispute, the plaintiff asserted a claim for compensation for the non-material damage he had suffered as a result of the fact that the Latvian Consumer Protection Center, in a campaign to raise awareness of the risks of buying a used car, disseminated a video sequence on several websites in which a person imitated the plaintiff without his consent. In an appeal before the Supreme Court, the plaintiff is now challenging a ruling that denied him financial compensation. Among other things, the court referred the question of whether the obligation to apologize can be imposed as compensation if there is no possibility of restoring the situation before the damage occurred.
The court first pointed out that, in the absence of a separate provision in the GDPR, it is up to the national legal systems to determine the scope of financial compensation, provided that the principles of equivalence and effectiveness under EU law are observed. The compensation must therefore fully and effectively compensate for the damage incurred, whereby even minor compensation may be sufficient if the damage incurred is not serious. Art. 82 (1) GDPR does not exclude the possibility that an apology may constitute independent or supplementary compensation for non-material damage, provided that the non-material damage is fully compensated. Whether this is the case here must be assessed by the national court.
(Gesche Kracht)
EGC: EU Commission must pay damages
On January 8, 2025, the EGC ordered the EU Commission to pay 400 euros in damages for the non-material damage caused by the transfer of personal data to a company based in the USA (EGC, decision dated 08.01.2025 - Ref. T-354/22).
The plaintiff had visited the website of the Conference on the Future of Europe, which is operated by the EU Commission, several times in 2021 and 2022. The website runs via the content delivery network “Amazon CloudFront”, which was done on the basis of a corresponding contract between the Commission and Amazon Web Services EMEA, based in Luxembourg. When visiting the website, the plaintiff had registered for the “GoGreen” event via the “EU Login” authentication service, whereby he had chosen to register via his Facebook account. The plaintiff claims that his data, in particular his IP address, was transmitted to servers in the USA through the integration of these services, causing him non-material damage due to the loss of control over his data. The plaintiff is now asserting a claim for damages under Art. 65 of the Regulation on the protection of natural persons with regard to the processing of personal data by the institutions, bodies, offices and agencies of the Union.
With regard to the disputed data transmission to “Amazon CloudFront” servers in the USA, the court found that the service basically uses a routing mechanism based on the principle of proximity, which always forwards users to the servers with the shortest time delay in relation to the respective device. In doing so, the Commission had chosen a geographical configuration that also included the territory of North America, but in principle, requests from users from the Union are normally forwarded to servers located in the Union. In fact, a transmission of the plaintiff's IP address to the USA was made possible due to this setting, but the direct cause of the damage claimed in this regard was a setting by the plaintiff to change his location displayed online. Also with regard to “Amazon CloudFront”, the court did not consider any data transfer to the USA to have been proven at any other time.
However, the plaintiff had suffered non-material damage due to the transmission of data to Meta Platforms' servers in the USA. By clicking on the link that made it possible to log in to “EU Login” via Facebook, the plaintiff's IP address was transmitted to Meta Platforms, a company based in the USA. This constitutes a transfer of personal data to a third country within the meaning of Art. 46 GDPR, which was inadmissible due to the lack of an adequacy decision at the time. The damage suffered by the plaintiff in the form of the loss of control was also causal and therefore to be compensated by the Commission in the amount of 400 euros.
(Gesche Kracht)
BGH again on the right of access under Art. 15 GDPR
In its decision of December 18, 2024, the BGH once again commented on claims for information in connection with premium adjustments for private health insurance policies and confirmed its previous case law (BGH, decision dated 18.12.2024 - Ref. IV ZR 207/23; we already reported on this in November 2023).
In the underlying case, the plaintiff requested information from the defendant about all premium adjustments made by the defendant in the insurance contract in 2012, 2014 and 2017 in the form of suitable documents. With reference to its decision from September 2023, the BGH once again ruled that the plaintiff is not entitled to a copy of the entire letter justifying the premium adjustment and the addenda to the insurance policy under Art. 15 (1) and (3) GDPR. A right of access also does not arise from the Insurance Contract Act. However, the policyholder could be entitled to a claim for information in good faith if he is excusably unaware of the existence and scope of his right. Such a claim presupposes that the claimant no longer has the requested documents. In addition, the plaintiff must explain why the loss occurred in order to be able to assess whether the plaintiff is exceptionally entitled to a right of access under Section 242 BGB. In this respect, the court stated that the necessary findings for a decision had not yet been made, which is why it referred the matter back to the court of appeal.
(Christina Prowald)
BFH on the requirement of an out-of-court request for information pursuant to Art. 15 GDPR
In its decision of November 12, 2024, the Federal Fiscal Court dealt with the requirement of an out-of-court application in the case of an action for disclosure pursuant to Art. 15 GDPR (BFH, decision dated 12.11.2024 - Ref. IX R 20/22).
The plaintiff initially asked the tax office to provide information about which of his personal data was being processed. After further correspondence with the tax office, the plaintiff withdrew this request. Later, the plaintiff wrote to the tax office requesting that it provide him with all or part of the files held by the tax office and, at the same time, filed an action against the tax office for information pursuant to Art. 15 GDPR. The Münster tax court dismissed the action as inadmissible because there was no out-of-court request and the plaintiff was therefore not adversely affected (FG Münster, decision dated 24.02.2022 - Ref. 6 K 3515/20).
The BFH dismissed the plaintiff's appeal against this decision and confirmed the decision of the tax court. The court emphasized that a request for information pursuant to Art. 15 GDPR is only admissible if such a request has previously been submitted to the authority. There is nothing to the contrary in the GDPR, as the national procedural rules determine how the legal remedies provided for by the GDPR are to be implemented. The plaintiff had initially submitted a request, but later withdrew it. The subsequent letter was interpreted by the tax court in a permissible manner not as a request for information pursuant to Art. 15 GDPR, but as a request for access to the file. The right of access in Art. 15 GDPR is not identical to the right of access to the file, which is why the latter cannot be the subject of the court proceedings.
(Marc-Levin Joppek)
OLG Hamm, OLG Dresden and OLG Celle on the claim for damages due to data scraping on Facebook
Recently, several higher court decisions have been handed down on claims for damages under Art. 82 GDPR by those affected by data scraping on Facebook. The focus was on the requirements for non-material damage. In their reasoning, the courts already took up the requirements of the BGH's recent leading decision on this topic, which we already discussed in the December 2024 issue of our newsletter.
In its decision, the Higher Regional Court of Hamm denied the plaintiff a claim for damages pursuant to Art. 82 GDPR (OLG Hamm, decision dated 29.11.2024 - Ref. 25 U 25/24, GRUR-RS 2024, 34277). The plaintiff had neither proven the occurrence of a loss of control nor its causal link to the defendant's breach of the provisions of the GDPR. According to the principles of the BGH, a loss of control presupposes that the data subject initially had control over the specific date and later lost this control against his or her will due to the data protection breach. The burden of proof here lies with the claimant. During his hearing at the lower court, the claimant mentioned one to two spam calls and one to three spam text messages. In the opinion of the court, this number of contact attempts does not allow a viable conclusion to be drawn about the loss of control. This is because spam calls and spam text messages are not unusual to a certain extent. According to the plaintiff, there had been an increase in fraudulent contact attempts in December 2019. In view of the fact that the tapped data records were not publicly disseminated until April 2021, a loss of control attributable to this cannot be assumed with the necessary certainty. If a loss of control - as in this case - is not proven, the well-founded fear of misuse may be sufficient to justify non-material damage. However, the fear, including its negative consequences, must be properly proven. The plaintiff was unable to provide this evidence in the specific case.
The Higher Regional Court of Dresden, however, awarded a person affected by data scraping a claim for damages under Art. 82 GDPR (OLG Dresden, decision dated 10.12.2024 - Ref. 4 U 808/24, available at www.justiz.sachsen.de/esamosplus/pages/index.aspx). Following the opinion of the BGH, the court allows an “abstract” loss of control to suffice as immaterial damage, without the need for a credible justification from the data subject that they have become anxious or worried due to the data protection breach. In the present case, the loss of control on the part of the data subject and the resulting spam text messages and spam emails were attributable to the scraping incident. When estimating the damage, particular attention should be paid to the possible sensitivity of the specific personal data concerned, its appropriate use, the type and duration of the loss of control and the possibility of regaining control or changing the personal data. In cases in which it would be possible to regain control with reasonable effort, the hypothetical effort required to regain control (here in particular a change of telephone number) could serve as an indication of effective compensation. In its ruling, the Federal Court of Justice considered an estimate of such costs in the order of 100 euros to be appropriate. The Senate also considers this amount to be reasonable in the present case.
In its reference decision, the OLG Celle commented on several pending proceedings before the Senate in the area of Facebook data scraping (OLG Celle, decision dated 09.01.2025 - Ref. 5 U 173/23). The court declared that it would follow the guidelines of the BGH. The mere loss of control already constitutes immaterial damage and no special fears or anxieties of the person concerned are required. According to the current state of deliberations, the Senate considers immaterial damages in the amount of 100 euros to be appropriate. If the “consequences” associated with the loss of control exceed the threshold of “inconvenience directly related to everyone”, this may justify higher damages. However, according to the Senate's understanding of the BGH's ruling, this would require particularly significant circumstances. Such a special circumstance would exist, for example, if the data subject is undergoing medical treatment for anxiety due to the data leak and its effects.
(Marc-Levin Joppek)
OLG Düsseldorf on the purpose of a request for information
On December 2, 2024, the Higher Regional Court of Düsseldorf ruled that the right of access under Art. 15 GDPR is not excluded by the fact that it serves to prepare payment claims (OLG Düsseldorf, decision dated 02.12.2024 - Ref. 16 W 93/23).
In the first instance, the plaintiff had initially asserted a claim for information pursuant to Art. 15 GDPR against a gambling provider by way of a step-by-step action, in particular with regard to his payment and gambling history, and demanded payment of an amount resulting from the information in the second stage. Although the defendant provided the requested information, it is of the opinion that a claim for information is precluded by the fact that it does not serve to prepare payment claims. According to the court's decision, the right of access under Art. 15 GDPR is not linked to the requirement that the data subject handles the requested information in a certain way. The right of access exists independently of the purposes pursued with the information and is also not dependent on a specific justification. Accordingly, a claim under Art. 15 GDPR would not be precluded if the data subject hoped to obtain information to quantify a payment application. Overall, the OLG's ruling is in line with the existing case law of the ECJ and BGH.
(Gesche Kracht)
LfD Lower Saxony on the Consent Management Ordinance
The State Commissioner for Data Protection of Lower Saxony (LfD Niedersachsen) has commented on the Consent Management Ordinance adopted on December 20, 2024 (we reported in January 2025) and pointed out that the ordinance fails to achieve its actual objective (communication of 27.12.2024). In particular, important points of criticism that were already expressed a year ago by the Data Protection Conference and now again by the LfD in the context of the Federal Council's approval have not been implemented in the current version. These include the fact that cookie banners are still required, as the consent management services are only linked to the decisions made via the consent banners, the limited scope of application, which only covers consent in accordance with Section 25 TDDDG, the voluntary nature of the use of such services by website operators and the lack of clarity as to who should offer the services in the first place. As a result, the LfD Lower Saxony assumes that the current practice of obtaining consent from the consent administration will not change significantly.
(Christina Prowald)
France: Fine of 50 million euros imposed on Orange
On November 14, 2024, the French supervisory authority (CNIL) imposed a fine of 50 million euros on the telecommunications provider Orange because the company displayed advertising messages in the form of emails between users' real emails in its email service “Mail Orange” without their consent to the advertising measure (notification of 10.12.2024). In addition, the CNIL found that cookies continued to be read by Orange even after users had withdrawn their consent to the use of cookies. The high number of people affected, the company's market position and the financial advantage were taken into account when calculating the fine.
(Christina Prowald)
France: Fine of 240,000 euros imposed on KASPR
On December 5, 2024, the French supervisory authority (CNIL) imposed a further fine of 240,000 euros on KASPR because the company collected contact data from users on LinkedIn, even if they were masked (notification of 19.12.2024).
KASPR offers an extension for the Chrome browser that enables customers to obtain the contact details of people whose profiles they have visited on LinkedIn. In order to provide the data, the company maintains a database with data from LinkedIn and other websites, in which around 160 million contacts are maintained. The company not only collected data from LinkedIn users who made their data visible to everyone, but also data from users who had restricted access to their contact details.
After numerous people complained to the CNIL about being solicited by companies that obtained their contact details via the KASPR extension, the supervisory authority launched an investigation into the company. The CNIL found that the collection of contact data from LinkedIn users who had explicitly restricted the visibility of their data went beyond what could reasonably be expected from users of a corresponding network and that KASPR was therefore not authorized to access and collect the contact data. With regard to the data obtained in a lawful manner, the CNIL stated that the company retained it for a disproportionately long period of time. Furthermore, in the view of the supervisory authority, KASPR did not properly comply with its information and disclosure obligations. The supervisory authority subsequently found violations of Art. 5 (1) (e) (storage limitation), 6 (lawfulness of data processing), 12 (transparent information), 14 (information obligation), 15 (right of access) GDPR.
(Christina Prowald)
Ireland: Fine of 251 million euros imposed on Meta
The Irish Data Protection Commission (DPC) has imposed a fine totaling 251 million euros on Meta Platforms Ireland Limited for a security breach (notification of 17.12.2024).
By exploiting user tokens, unauthorized third parties were able to access numerous user data, such as name, email address, telephone number, workplace, date of birth, religion, gender and interests. The incident affected 29 million Facebook accounts worldwide. The DPC identified the following data breaches:
- Violation of Art. 33 (3) GDPR due to the provision of insufficient information in the context of the data breach notification (8 million euros).
- Violation of Art. 33 (5) GDPR due to insufficient documentation of the individual circumstances and the remedial measures taken (3 million euros).
- Violation of Art. 25 (1) GDPR due to insufficient compliance with data protection principles in the design of the processing system (130 million euros).
- Violation of Art. 25 (2) GDPR due to non-compliance with the requirement that, by default, only data that is necessary for the specific purposes is processed (110 million euros).
The Deputy Data Protection Commissioner, Graham Doyle, commented on the decision as follows: “This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals. Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorized exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
(Christina Prowald)
Netherlands: Fine of 4.75 million euros imposed on Netflix
The Dutch supervisory authority has imposed a fine of 4.75 million euros on the streaming service Netflix because the company did not sufficiently inform its customers in its privacy policy about how it handles their data (notification of 18.12.2024).
The supervisory authority particularly criticized the information provided by the company regarding the purposes and legal bases, data transfers to other parties, retention periods and the safeguarding of data transfers to third countries. As part of its investigation, it also found that Netflix did not adequately respond to data protection requests from users. The investigation was based on various complaints from the Austrian data protection organization “None of your business (noyb)”.
Netflix has appealed against the supervisory authority's decision, but has also amended its privacy policy and improved its information offerings.
Aleid Wolfsen, Chairman of the Dutch Data Protection Authority, commented on the proceedings as follows: “A company like that, with a turnover of billions and millions of customers worldwide, has to explain properly to its customers how it handles their personal data. That must be crystal clear. Especially if the customer asks about this. And that was not in order.“
(Christina Prowald)