Newsletter data protection
Dear readers,
Our 5th BRANDI-Data Protection Law Day will take place on May 24, 2024. In keeping with tradition, we cordially invite you to join us now!
This year's event will take place in Paderborn at the Heinz-Nixdorf-Museumsforum on the premises of the University of Applied Sciences. In addition, there will also be the opportunity to participate passively online in our Data Protection Law Day this year.
We have once again been able to attract a renowned expert for the event. This year, we will be discussing with Thilo Weichert, a long-standing jury member who helps decide the winners of the annual Big Brother Awards. Dr. Weichert is one of Germany's best-known data protection experts and former head of the data protection supervisory authority in Schleswig-Holstein (ULD).
You already have the opportunity to register for the event using our registration form. You can find the registration form under the following link: Registration We will inform you about further details and the content of the event as soon as possible.
For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.
Dr. Sebastian Meyer and the BRANDI data protection team
Topic of the month: Data protection-compliant design of a cookie banner
The majority of online offerings employ user tracking tools and other third-party services, for example for the integration of maps or videos. To protect privacy, case law has formulated various requirements based on the right to informational self-determination that must be complied with when using such services. The requirements must be observed above all when cookies that are not technically necessary are used. In these cases, the ECJ (ECJ, decision dated 01.10.2019, ref. C-673/17) and the BGH (BGH, decision dated 28.05.2020, ref. I ZR 7/16) consider it necessary to obtain the user's consent to the data processing carried out in this context. The supreme court has not yet expressly ruled on the use of technologies comparable to cookies. However, taking into account the e-Privacy Directive and the Telecommunications and Telemedia Data Protection Act (TTDSG), appropriate requirements must be made in this respect. A so-called cookie banner is typically used to request consent. Since website operators generally have a great interest in analyzing the behavior and interests of users in order to be able to present them with offers and advertising tailored to them, among other things, they often try to use a cookie banner design that is as optimized as possible for the operator in order to achieve the highest possible consent rate. Such arrangements are also permissible within certain limits; however, the basic requirements of the General Data Protection Regulation (GDPR), the case law on this topic and the Telecommunications Telemedia Data Protection Act (TTDSG), which came into force at the end of 2021, must be observed.
To the complete main topic
European Data Protection Day 2024 in Berlin
On January 29, the 18th European Data Protection Day 2024 took place in Berlin on the topic of "Digital transformation - shaping the future of data protection". The event was organized by the data protection authority Schleswig-Holstein, which chaired the Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) in 2023. The focus was on the challenges arising from increasing digitalization. During the event, renowned national and international experts, including Anu Talus (Chair of the European Data Protection Board) and John J. Borking (former Vice President of the Dutch Data Protection Authority), discussed important developments in the field of data protection. In terms of content, they discussed the interactions between new legal regulations and the General Data Protection Regulation (GDPR), the changing handling of the requirements resulting from the GDPR, the topic of artificial intelligence and the institutionalization of the DSK provided for in the draft of the new Federal Data Protection Act (BDSG).
On the occasion of the day of action launched on the initiative of the Council of Europe, the German Association for Data Protection and Data Security (GDD) has published a checklist for requests for information. Due to the formal legal requirements, the large volume of data to be requested and the tight time frame, the GDD considers it necessary for companies to deal with the issue at an early stage and establish appropriate processes within the company in order to be able to process requests for information effectively. In its checklist, the GDD addresses organizational, procedural and normative regulations as well as technical requirements. According to the GDD, the recommendations are primarily based on the requirements developed by case law.
(Christina Prowald)
ECJ: No compensation for hypothetical risk of misuse
According to the ECJ, a theoretical risk of misuse of data does not justify compensation under Article 82 GDPR (ECJ, decision dated 25.01.2024, ref. C-687/21).
In the case on which the decision was based, a customer had filed a lawsuit against Saturn because an appliance he had purchased, including the purchase and financing documents containing various personal data, had been handed over to the wrong customer. The error was quickly noticed and the device and documents were returned within half an hour.
The ECJ firstly took the view that the fact that employees of the controller had mistakenly passed on a document containing personal data to an unauthorized third party was not sufficient to assume that the controller's technical and organizational measures were not appropriate within the meaning of Article 24 and 32 GDPR. Furthermore, the court ruled that the claim for damages under Article 82 GDPR only fulfills a compensatory function, but not a punitive function. In this respect, the ECJ referred in particular to the difference between the provisions contained in Article 82 GDPR and those contained in Article 83 and 84 GDPR. Moreover, the seriousness of the infringement was not to be taken into account for the purposes of compensation and the amount of damages. The ECJ also ruled that the person claiming damages must prove not only the infringement but also the damage suffered. It follows from the wording of the provision that a mere breach of the GDPR is not sufficient to justify a claim for damages. Rather, in addition to a breach, there must also be damage and a causal link between the breach and the damage. The damage does not have to exceed a materiality threshold. However, it is necessary to prove that the consequences of the infringement constitute non-material damage. If personal data was mistakenly passed on to an unauthorized third party who has demonstrably not taken note of this data, this does not result in non-material damage simply because the person concerned fears that the data could be further disseminated or misused after it has been passed on. In this respect, the court stated that the concept of non-material damage should be understood broadly and that the fear of data misuse could in principle constitute non-material damage. However, the existence of such damage must be proven. A purely hypothetical risk of misuse by an unauthorized third party could not lead to compensation.
(Christina Prowald)
ECJ: No lifelong storage of biometric data of convicted persons
On January 30, 2024, the ECJ ruled that it is inadmissible to store personal data, in particular biometric and genetic data of convicted persons, until the death of the person concerned and also in the event of their rehabilitation without regularly reviewing the need for further storage and without granting the person concerned a right to erasure of the data or restriction of data processing in the event of a discontinuation of the purpose (ECJ, decision dated 30.01.2024, ref. C-118/22).
The ECJ bases this on a proportionality decision and compliance with the principle of data minimization. Even if the storage of sensitive data such as fingerprints and DNA of convicted persons by police authorities for the prosecution and prevention of criminal offenses or the enforcement of criminal sanctions is justified in principle, it must be regularly reviewed whether the interference with fundamental rights associated with the storage is still necessary. Procedural precautions should be established to ensure compliance with the existing time limits in this respect. The stored data may be essential in order to check whether the person concerned is involved in further criminal offenses. In this respect, however, it must be taken into account that the risk is not the same for all convicted persons. Lifelong retention is only appropriate in special circumstances that duly justify the retention. This is not the case, in particular, if the relevant provision applies generally and indiscriminately to every person convicted by final judgment.
The decision is based on a case in which a person was registered with the police in Bulgaria as part of a preliminary investigation into false witnesses. After serving his suspended sentence, the person was considered to have been rehabilitated, which is why he requested that his data be deleted from the police register. Under Bulgarian law, however, fingerprints and DNA profiles may be stored and used for comparisons until the death of the person concerned.
(Christina Prowald)
OLG Hamburg: Compensation for damages due to unauthorized notification to SCHUFA
In the opinion of the Higher Regional Court of Hamburg, a bank's reporting of claims to SCHUFA in breach of duty justifies a claim for damages by the data subject pursuant to Article 82 GDPR in the amount of 4,000 euros (OLG Hamburg, decision dated 10.01.2024, ref. 13 U 70/23). The defendant bank had twice reported its claims against the plaintiff to SCHUFA, although the necessary requirements for this were not met.
The court stated that the plaintiff had suffered compensable non-material damage, as the plaintiff had to endure damage to his social reputation as a result of being portrayed as an unreliable debtor due to the unauthorized reports. In this respect, the plaintiff was also able to prove that the reports and the consequently worsened assessment of his creditworthiness risk caused him disadvantages with regard to the granting of a loan, and also that his credit card was blocked.
In the opinion of the court, the fact that the defendant acted with intent must be taken into account when calculating the damages. It must also be taken into account that the defendant did not revoke the notifications despite being requested to do so by the plaintiff and demonstrating that they were unlawful.
(Christina Prowald)
OLG Hamm: Still no compensation for damages due to data scraping on Facebook
Even after the new ECJ rulings on the right to non-material damages under Article 82 GDPR (we reported on this in January 2024), the Higher Regional Court of Hamm is still of the opinion that the data scraping incidents at Facebook do not justify damages under Article 82 GDPR and has confirmed its previous legal opinion in this respect (OLG Hamm, decision dated 21.12.2023, ref. 7 U 137/23).
In its decision of December 21, 2023, the court again stated that the plaintiff, who is affected by a breach of the GDPR and asserts negative consequences in this respect, must prove that these consequences constitute non-material damage within the meaning of Article 82 GDPR. It also pointed out that the court was implementing the requirements of the ECJ by assessing the evidence presented by the plaintiff in this regard. According to this, if a person invokes the fear that their personal data will be misused in the future due to such an infringement, the national court hearing the matter must examine whether this fear is to be regarded as justified under the given circumstances and with regard to the person concerned. In the present case, however, there was no causal non-material damage. The question at issue regarding the lack of quality of the negative consequence of a mere loss of control as non-material damage has already been clarified by the recent decisions of the ECJ.
(Christina Prowald)
OLG Dresden comments on data scraping on Facebook
On December 5, 2023, the Higher Regional Court of Dresden also ruled that the data scraping incidents on Facebook do not justify damages against the company under Article 82 GDPR (OLG Dresden, decision dated 5.12.2023, ref. 4 U 709/23, available at https://www.justiz.sachsen.de/esamosplus/pages/index.aspx).
The court found that, although there had been breaches of the GDPR in principle, these had not led to any causal non-material damage to the plaintiff and, accordingly, no claim for damages. The OLG Dresden further stated that the burden of proof for the existence of damage lies with the plaintiff. However, the plaintiff had not provided evidence of the damage and the causal link. The mere loss of control alone was not sufficient to establish immaterial damage. The loss of control must have had certain consequences for the person concerned in order to justify non-material damage. In this respect, the plaintiff must prove an impairment that goes beyond the loss of control, an immaterial damage in the specific individual case. Otherwise, in the opinion of the court, practically every data protection breach would lead to damage. The assertion that the loss of control had caused great discomfort and concern about possible misuse was also not sufficient in this respect.
(Christina Prowald)
ArbG Suhl: Answering requests for information by unencrypted e-mail inadmissible
On December 20, 2023, the Suhl Labor Court ruled that responding to a request for information pursuant to Article 15 GDPR by means of an unencrypted email is not permissible (ArbG Suhl, decision dated 20.12.2023, ref. 6 Ca 704/23).
The plaintiff requested information from the defendant in writing about all the data stored about him. The defendant subsequently sent the requested information by means of an unencrypted email, whereupon the plaintiff in turn lodged a complaint against the defendant with the data protection supervisory authority of Thuringia (TLfDI). The TLfDI shared the plaintiff's view that the provision of information by means of an unencrypted email violated Article 5 (1) (f) GDPR. The plaintiff subsequently turned to the TLfDI for further data protection violations by the defendant and ultimately demanded compensation for damages in the amount of 10,000 euros.
The court has now ruled that the plaintiff is not entitled to compensation under Article 82 GDPR. The reason given by the Suhl Labor Court was that the plaintiff failed to demonstrate the occurrence of damage. As already confirmed by the TLfDI, there had been a breach of Article 5 GDPR due to the sending of the unencrypted email. However, the plaintiff had not demonstrated any damage. Such damage does not already result from the breach of the GDPR. Rather, taking into account the case law of the ECJ, damage and a causal link between the breach and the damage are also required. The plaintiff would have to prove this. However, this had not been done, so that a claim for damages under Article 82 GDPR was ruled out.
(Christina Prowald)
BfDI calls for WhatsApp proceedings to be closed
The Federal Commissioner for Data Protection and Freedom of Information (BfDI) calls on the Irish Data Protection Authority (DPC) to issue a decision in the still open proceedings against WhatsApp and to finally clarify the remaining questions (press release of 12.01.2024).
The proceedings relate to the amended terms of use following the introduction of the GDPR and the associated privacy policy, which had to be accepted by users in order to continue using the messenger service. In this respect, the company took the view that by agreeing to the terms of use, a contract was concluded between WhatsApp and the user and that the data processing by WhatsApp was necessary to fulfill this contract. The complainant, on the other hand, argued that WhatsApp actually wanted to rely on consent and was in fact forcing users to agree to the data processing. After no agreement could be reached between the supervisory authorities involved, the EDPB determined that the data processing could not be based on the performance of the contract. The DPC subsequently ruled that WhatsApp is not entitled to refer to Article 6 (1) (b) GDPR (we reported in February 2023).
However, a final assessment of whether the measures taken by WhatsApp in response to the DPC's decision are sufficient to implement the decision and use the service in compliance with data protection regulations has not yet been carried out. The DPC has also not yet investigated whether WhatsApp processes personal data for the purposes of behavioral advertising, for marketing purposes and for the provision of statistics to third parties and the exchange of data with affiliated companies and whether this is done in compliance with data protection regulations, although such an investigation was requested by the EDPB. The BfDI now intends to work towards clarifying the outstanding issues and bringing the proceedings to a swift conclusion.
(Christina Prowald)
LfDI: Discussion paper on the use of AI published
On November 7, 2023, the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI) published a discussion paper entitled "Legal bases in data protection when using artificial intelligence". It deals with the question of when and how personal data may be processed for the training and use of artificial intelligence.
The aim of the document is to support data controllers in the data protection-compliant use of AI systems. In particular, the relevant legal bases will be discussed. First of all, attention is drawn to how diverse data processing can be in the context of AI systems. Five processing phases are presented as examples. This is followed by a discussion of data protection responsibility for the data processing procedures and the concepts of joint responsibility and commissioned processing. There is also an in-depth discussion of the various legal bases that can play a role in the context of the use of AI systems. The discussion paper also contains a short checklist and further references to relevant case law and literature.
(Christina Prowald)
SDTB: New brochure "Attention camera"
The Saxon Data Protection and Transparency Commissioner (SDTB) has recorded an increase in inquiries about video surveillance. After 130 submissions in 2021, this was followed by 200 submissions in 2023. The increase is exclusively attributable to non-public bodies. On November 9, 2023, SDTB therefore published information on video surveillance for citizens, businesses and public authorities under the title "Attention camera!".
The first chapter of the brochure deals with video surveillance by non-public bodies. It begins by explaining which measures fall under the term video surveillance. Subsequently, topics such as the storage period, the documentation of video surveillance, possible legal bases and the consequences of unlawful video surveillance measures are discussed. The brochure also deals with the duty to inform, various issues relating to the monitoring of employees and the monitoring of different areas such as construction sites, petrol stations and retail. Processing situations in addition to classic video surveillance, such as doorbell cameras, webcams and parking space surveillance, are also addressed.
The SDTB, Dr. Juliane Hundert, commented on the subject of video surveillance as follows: "Only in every third case of video surveillance that I examine on the basis of a complaint is there nothing to object to in terms of data protection law. The use of cameras by private individuals in particular is predominantly unlawful. They often use the products offered on the market too carelessly and in an unlawful manner. It is too often overlooked that video surveillance is fundamentally an enormous invasion of privacy. This is why video surveillance is not permitted permanently and across the board, but only under certain conditions or not at all."
(Christina Prowald)
France: Fine of 32 million euros against Amazon France Logisitique
On December 27, 2023, the French data protection authority (CNIL) imposed a fine of 32 million euros on Amazon France Logistique (notification of 23.01.2024).
Each Amazon France Logistique warehouse employee is equipped with a scanner as part of their job in order to document the execution of their assigned tasks in real time. Each scan by the employee leads to the recording of data that is stored and used to calculate indicators that provide information on the quality, productivity and inactivity times of each employee. Following various press articles, the CNIL carried out investigations into this matter and followed up on several complaints from those affected.
The supervisory authority has now identified various breaches of the GDPR. For example, there were several violations of the principle of data minimization (Article 5 (1) (c) GDPR) and the recording of various indicators could not be based on a legitimate interest pursuant to Article 6 (1) (f) GDPR due to the excessive monitoring of employees. In addition, the CNIL found various violations of the obligation to provide information and transparency (Article 12 and 13 GDPR) and the obligation to take sufficient technical and organizational measures (Article 32 GDPR). In terms of content, the breaches identified related to video surveillance, work schedules and employee appraisals as well as warehouse management.
(Christina Prowald)