Newsletter data protection
On May 16, 2025, our 6th BRANDI-Data Protection Law Day will take place. Once again, we cordially invite you to attend!
This year's event will take place in Herford on the premises of Marta. This year, you will also have the opportunity to take part in our Data Protection Law Day passively online. This year, we will be discussing with Prof. Ulrich Kelber, former Federal Commissioner for Data Protection and Freedom of Information (BfDI), among others. Our Data Protection Law Day will start directly with a keynote speech by Prof. Kelber, after which we will discuss various data protection law topics together. In particular, we invite you to discuss your topics with us. After the lunch break, we will deal with current and practice-relevant use cases in the context of various case studies. Afterwards, you will have the opportunity to explore the Marta Herford during a guided tour.
You have the option of registering for the event using our registration form. You can find the registration form under the following link: Registration for the Data Protection Law Day
For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.
Dr. Sebastian Meyer and the BRANDI data protection team
Topic of the month: Requirements for the accessibility of websites
On June 28, 2025, the Accessibility Improvement Act (BFSG) will come into force in Germany. The BFSG is intended to promote the equal and non-discriminatory participation of people with disabilities, impairments and older people, particularly in e-commerce offerings. To this end, the law stipulates various requirements for the design of certain products and services. The BFSG implements the EU Directive on the accessibility requirements for products and services of April 17, 2019 (Directive 2019/882), which uniformly defines the technical requirements for accessibility and the accessibility information obligations. For many companies, the implementation of the BFSG means a review and, if necessary, technical adaptation of their own online offerings.
BGH on damages for data protection violations
The Federal Court of Justice has already had to deal with the question of when a data protection breach has occurred and under what conditions the data subject is entitled to compensation in accordance with Art. 82 GDPR. In a groundbreaking decision in November 2024, the BGH established criteria for the courts of lower instances as to how non-material damages are to be assessed (BGH, decision dated 18.11.2024 - Ref. VI ZR 10/24 Scraping Meta). In the proceedings there, however, the BGH did not have to decide on the amount of possible damages itself, but referred the matter back to the court of appeal for further clarification. In a new decision, the BGH has now for the first time commented specifically on the amount of a claim for damages in individual cases (BGH, decision dated 28.01.2025 - Ref. VI ZR 183/22).
The starting point was a dispute over the existence of a mobile phone contract for which the provider billed monthly. In her own opinion, the customer had effectively revoked the contract extension and therefore questioned the legality of the billing. As a consequence, the provider arranged for a negative Schufa entry to be made against the customer, which significantly impaired her creditworthiness. On this basis, the court of appeal awarded her damages of 500 euros; the customer had sued for an amount of 6,000 euros. In this case, the BGH considered the amount of damages to be justified, but criticized the derivation by the court of appeal (OLG Koblenz). For the BGH, the decisive factor for the assessment of damages was that the negative Schufa entry actually had an impact on the customer's financing efforts and was therefore not just a potential impairment. On this occasion, the BGH once again clarified that the claim for damages only has a compensatory function, but not a deterrent or punitive function.
However, if even in a case with concrete consequences, damages of “only” 500 euros are appropriate, then most of the amounts claimed with reference to a “loss of control” are likely to be clearly excessive. If, on the other hand, a significantly higher amount is claimed - as in the present case - there is a risk that the costs of the proceedings alone, which are to be borne proportionately, will in case of doubt eat up the damages claimed.
(Dr. Sebastian Meyer)
BVerwG on data collection from publicly accessible sources
On January 29, 2025, the Federal Administrative Court ruled that the collection and use of data from publicly accessible sources for advertising purposes cannot simply be based on a legitimate interest pursuant to Art. 6 (1) (f) GDPR (BVerwG, decision dated 29.01.2025 - Ref. 6 C 3.23, see also press release of 29.01.2025).
The plaintiff collected the data of dentist offices from publicly accessible data sources such as telephone directories in order to use this data to contact the dentists by telephone to ask whether they would like to sell precious metal remnants to the plaintiff. In 2017, the Saarland supervisory authority had prohibited the plaintiff from processing data for the purpose of telephone advertising in accordance with the law in force at the time, unless consent or an existing business relationship existed. With reference to the GDPR, which came into force in May 2018, the plaintiff unsuccessfully applied to have the now legally binding decision revoked. The action to compel brought before the Saarland Administrative Court was unsuccessful.
The BVerwG, which was entrusted with the appeal of the action, found that although the permissive element of Art. 6 (1) (f) GDPR - the legitimate interest - would in principle be applicable, the assessment of this interest must take into account the values of Section 7 (2) No. 1 UWG, which also serves to implement Union law. The plaintiff lacks a legitimate interest if the data processing it is pursuing violates Section 7 (2) No. 1 UWG. The telephone calls asking about the willingness to sell precious metal remnants are advertising, which is inadmissible if there is not at least presumed consent. The publication of telephone numbers in publicly accessible directories does not constitute such consent, as this serves exclusively to ensure the accessibility for patients. As a result, the legal situation had not changed in the plaintiff's favor due to the GDPR, meaning that the original prohibition by the authority could remain in place.
(Gesche Kracht)
OLG Dresden and OLG Bamberg on reviews on online platforms
The Higher Regional Court of Dresden (OLG Dresden, decision dated 17.12.2024 - Ref. 4 U 744/24) and the Higher Regional Court of Bamberg (OLG Bamberg, decision dated 17.12.2024 - Ref. 6 W 12/24 e) had to deal with ratings on online platforms for employer ratings in two similar cases. Current and former employees, trainees and applicants can rate employers on such platforms with stars and/or in various categories. In both cases, ratings that were perceived as negative and damaging to the reputation of the parties involved had been submitted on an online platform.
The applicant in the Bamberg Higher Regional Court case asserted a claim for information pursuant to Section 21 TDDDG against the operator of the rating platform on the grounds that the ratings were relevant under criminal law and that the information was necessary to assert its own rights against users unknown to the applicant. In the case decided by the Higher Regional Court of Dresden, the plaintiff applied in the first instance for an injunction with regard to the publication of the review in question, whereby it was also a question of the extent to which the operator of a review platform has to provide information about the person making the review as part of the secondary burden of proof.
The Bamberg Higher Regional Court ruled that the requirements for the right to information pursuant to Section 21 (2) (2) TDDDG were not met. Firstly, only inventory data and not IP addresses could be disclosed and even with regard to inventory data, there was only a claim if a statement in the form of a rating constituted defamation or abusive criticism, formal insult or an attack on human dignity. As a legal entity, the applicant could not invoke the latter and the court did not consider the other variants to be fulfilled either. Even when weighing up the impairment of “business honor” by the objectionable statements and freedom of expression, the court comes to the conclusion that these are permissible expressions of opinion. The examination of the employee status of the person making the assessment is also primarily the responsibility of the operator. In this respect, the applicant could not justify publication.
The Higher Regional Court of Dresden also refers to this point in its decision. In principle, no unlimited disclosure of the identity of the evaluating person can be demanded because Section 19 (2) TDDDG guarantees a right to anonymous or pseudonymous use of the internet in this respect. The interest in anonymity no longer applies if a third party claims that their rights have been violated by the person. In these cases, the operator is authorized to disclose personal inventory data, Section 21 (2) TDDDG. However, the obligation to provide information to the injured party requires a prior court order in accordance with Section 21 (3) TDDDG. In the specific case, the plaintiff was only concerned with the alleged unlawfulness of the statement due to a lack of business contact with the person; the Higher Regional Court left open whether something else applies if it is asserted that the rating itself contains unlawful content.
(Gesche Kracht)
OLG Schleswig on proof of being affected by API bug on X
In a reference decision of October 16, 2024, the Higher Regional Court of Schleswig confirmed that an entry on the website haveibeenpwned.com is not sufficient to prove that a data loss has occurred (OLG Schleswig, decision dated 16.10.2024 - Ref. 5 U 56/24, GRUR-RS 2024, 38496).
In particular, the plaintiff asserted claims for damages due to alleged violations of the GDPR in connection with a so-called data scraping incident. In June 2021, the defendant, the communication platform X, had an open API interface through which data was tapped without authorization. Whether the plaintiff was actually affected by the API bug was disputed between the parties. The plaintiff referred to a positive report on the website haveibeenpwned.com to prove that it was affected. The court of first instance in Lübeck dismissed the action as unfounded (LG Lübeck, decision dated 28.03.2024 - Ref. 15 O 214/23), against which the plaintiff appealed.
In the opinion of the OLG, the plaintiff is also not entitled to compensation. It had not proven that it was affected by the defendant's API bug at all. Although the Federal Office for Information Security (BSI) would also refer to the website haveibeenpwned.com, it made it clear that the website did not provide sufficient evidence that the plaintiff was affected. It is not apparent on what basis the operator determines whether individual users are affected with regard to a specific data incident. The truthfulness of the operator's statement that he had obtained the leak logs was not discernible.
(Gesche Kracht)
OLG Schleswig: Sending invoices by email requires end-to-end encryption
In its judgment of December 18, 2024, the Higher Regional Court of Schleswig ruled on the security precautions to be taken under the GDPR when sending invoices (OLG Schleswig, decision dated 18.12.2024 - Ref. 12 U 9/24).
The parties disputed whether the plaintiff can demand (renewed) payment of a fee for work after the transfer amount was credited to another account following manipulation of the invoice sent by email by a third party acting criminally. The Regional Court of Kiel upheld the claim, stating that the defendant had no claim for damages for breach of a secondary obligation due to the manipulation of the invoice by a third party, which could be held against the claim as a dolo agit plea pursuant to Section 242 BGB.
In this respect, the Higher Regional Court of Schleswig corrects that the defendant is entitled to damages pursuant to Art. 82 (1) GDPR. When sending the email at issue, the plaintiff had violated the principles of Art. 5, 24 and 32 GDPR. A breach could not be assumed solely because unauthorized access to personal data by third parties had occurred; however, the controller must demonstrate that the security measures it had taken were appropriate to protect personal data from unauthorized access. In this respect, transport encryption when sending emails is not a suitable security measure within the meaning of the GDPR when sending business emails with a high financial risk, such as sending invoices. In the opinion of the OLG, end-to-end encryption is required in this regard. In doing so, it also refers to a guideline from the Data Protection Conference and information from the BSI. The other requirements for a claim for damages are also met; in particular, the plaintiff cannot rely on the fact that its IT consultant recommended transport encryption with regard to fault, as the decision ultimately lies with the plaintiff itself.
However, whether the court's decision can be generalized in the context of the previous manipulation in such a way that only invoices in a securely encrypted form may generally be sent seems very questionable.
(Gesche Kracht)
New concerns about the Data Privacy Framework
In a letter dated February 8, 2025 (IUST-SEC/LIBE D (2025) 2901), the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) pointed out to the European Commission that the US Privacy and Civil Liberties Oversight Board (PCLOB) no longer has a quorum after the new Trump administration in the US forced several (Democratic) members out of the body. This development can be problematic because the PCLOB was supposed to be a reasonably independent body whose task was to ensure compliance with the requirements of the Data Privacy Framework, on the basis of which data exchange with the USA and the involvement of American service providers in data processing predominantly takes place. However, if the PCLOB can no longer ensure effective control due to its inability to make decisions, but at the same time such supervision is required as an essential component according to the requirements of the ECJ from the previous proceedings (Schrems I / II), then there is a risk that the adequacy decision currently used for data exchange will be jeopardized. In this respect, there may be a risk of the adequacy decision being revoked by the Commission pursuant to Art. 45 (5) GDPR, irrespective of the ECJ's assessment. In any case, further developments should be monitored carefully due to the possible consequences.
(Dr. Sebastian Meyer)
LDI NRW uncovers data cartel
The State Data Protection Commissioner (LDI) in North Rhine-Westphalia has initiated investigations into several insurance companies due to the unlawful exchange of personal data (press release of 22.01.2025). Ten insurers exchanged personal data of customers via a closed e-mail distribution list, in which several employees of the companies were registered, in order to uncover cases of fraud and recognize fraud patterns. The cases concerned were almost exclusively cases of foreign travel health insurance, with sensitive data such as health data and data of minors also being exchanged. The mailing list was also used to send data to insurance companies that had no contact with the data subjects, and there were no other precautions in place to protect the data subjects. The overall unlawful data processing has since meanwhile been stopped. The State Data Protection Commissioner Bettina Gayk also points out that there is actually a system agreed with the data protection supervisory authorities for exchanging information on cases of fraud in compliance with data protection regulations.
(Gesche Kracht)
DSK plans assistance for anonymization and pseudonymization of personal data
The Data Protection Conference (DSK), as an association of the independent data protection authorities of the federal and state governments, is tasked with safeguarding and protecting fundamental data protection rights, achieving uniform application and promoting further development. In performing these tasks and achieving the associated objectives, the DSK uses resolutions, decisions, guidance, standardizations, statements, press releases and specifications.
At the first interim conference on January 29, 2025, the Data Protection Conference decided to develop guidance for the effective anonymization and pseudonymization of personal data (press release DSK of 30.01.2025). The term “pseudonymization” is defined in Art. 4 No. 5 GDPR and refers to a type of processing of personal data that ensures that it would only be possible to draw conclusions about the specific data subject by using separately stored information that is protected by appropriate technical and organizational measures. The European Data Protection Board (EDPB) has already published guidelines on pseudonymization (EDPB press release of 17.01.2025). However, the term “anonymization” is not legally defined and there is still no uniform European guideline, which the EDPB plans to publish this year. Anonymized data is of great value in practice, because when data is anonymized, it can no longer be linked to individuals and the General Data Protection Regulation (GDPR) is no longer applicable. Anonymization therefore offers additional and low-risk options for using data. However, the lack of uniform regulation leads to uncertainty regarding the procedures for anonymizing data and the use of anonymized data.
With the planned assistance for the effective anonymization and pseudonymization of personal data, the DSK would like to select suitable procedures for the correct anonymization and pseudonymization of data, building on the EDPB guidelines, and offer them as a valuable tool for data processing in research, business and the public sector. Using specific examples from medical research, AI development and statistics, the DSK paper aims to show which requirements and procedures are important for pseudonymization and anonymization.
(Geraldine Paus)
EDPB publishes report on the 2024 coordinated audit action
On January 16, 2025, the European Data Protection Board (EDPB) adopted the report on the results of the coordinated review action 2024 (we reported in April 2024), which related to the right of access (EDPB press release of 20.01.2025). As part of the campaign, information from 1,185 data controllers was evaluated, with many German supervisory authorities also participating. Overall, the majority of data controllers stated that they take the requirements of the right of access into account to an average to high degree. However, there is a need for improvement with regard to the completeness of the information, obstacles for individuals when exercising the right, e.g. formal requirements and the interpretation of the limits of the right of access. Positive results were in particular the implementation of best practice. The findings of the report largely coincide with the findings of the German supervisory authority involved (DSK press release of 22.01.2025). The topic of the next coordinated action concerns the implementation of the right to erasure.
(Gesche Kracht)
Europe-wide audits on the right of access
In a press release dated 22.01.2025 (notification of 22.01.2025), the State Commissioner for Data Protection of Lower Saxony announced that the Lower Saxony Data Protection Authority had randomly audited 15 companies from various sectors regarding their handling of requests for information in accordance with Article 15 GDPR. The aim was to find out how companies respond to requests for information, how long the companies store personal data and how often they receive such requests.
The reason for the audit was the so-called “Coordinated Enforcement Framework Action” (CEF) of the European Data Protection Board (EDPB), in which the state data protection supervisory authorities from Bavaria (BayLDA), Brandenburg, Mecklenburg-Western Pomerania, Rhineland-Palatinate, Saarland and Schleswig-Holstein as well as the Federal Commissioner for Data Protection and Freedom of Information also participated at national level and a further 22 data protection supervisory authorities participated at European level.
The Lower Saxony data protection supervisory authority was unable to identify any irregularities or breaches at the companies audited, leading the State Commissioner for Data Protection of Lower Saxony, Denis Lehmkemper, to sum up: “I am pleased that many companies in Lower Saxony clearly take the right of access seriously and have established appropriate processes.”
At the same time, however, numerous inquiries and complaints received each year from citizens regarding the right of access by the Lower Saxony Data Protection Authority show that there is still some catching up to do in some companies and organizations in Lower Saxony, which is why the State Commissioner for Data Protection of Lower Saxony emphasized, despite the overall positive conclusion: “The right of access is an important right of data subjects. It makes it possible to exercise other data protection rights such as the right to rectification or erasure in the first place.”
(Habib Majuno)
Poland: Fines for failure to report a data protection incident
Last year, the Polish supervisory authority (UODO) imposed several fines in connection with data protection incidents.
In August 2024, the supervisory authority imposed a fine of 928,498.06 euros on the Polish mBank for failing to inform the data subjects following a data protection incident (decision DKN.5131.1.2024 of 20.08.2024). An employee of the bank had previously inadvertently sent customer documents to another financial institution. Although the documents were returned to the bank, it could not be ruled out that third parties had gained knowledge of the documents. The bank decided not to inform its customers about the incident as it was of the opinion that there was only a low risk for those affected. It justified this by stating that the recipient was also subject to banking secrecy and had confirmed that he had not made any copies of the documents received. The supervisory authority referred to the EDPB's guidelines on data protection incident reporting, according to which the trustworthiness of a recipient does not depend on the recipient's status, but primarily on the duration of the relationship between the controller and the recipient and the resulting knowledge of the recipient's procedures and other relevant details. Due to the high risk for the data subjects, they should have been informed.
In September 2024, the supervisory authority imposed a fine of 19,800 euros on the Polish public prosecutor's office for unlawfully disclosing personal data of a victim in criminal proceedings during a press conference and neither reporting this data protection incident to the supervisory authority nor informing the person concerned (decision DKN.5131.33.2023 of 02.09.2024). In the opinion of the supervisory authority, information from ongoing investigations or on the activities of the public prosecutor's office may be disclosed if this is in the important public interest. However, the disclosure of information from completed proceedings, which was the case in this instance, requires a legal basis, which the supervisory authority believes did not exist in this case.
In November 2024, the supervisory authority imposed a fine of 6,800 euros on a hospital for failing to report a data protection incident to the supervisory authority (decision DKN.5131.6.2024 of 26.11.2024). A patient of the hospital was inadvertently provided with the health data of another person. The person concerned was informed of the incident by the hospital. In the opinion of the supervisory authority, a report should nevertheless have been made.
(Marc-Levin Joppek)
Finland: Fine for inadequate safety measures
The Finnish supervisory authority has imposed a fine of 950,000 euros on Sambla Group, a provider of credit comparison services, for having inadequate security measures in place to protect customer data (notification of 20.12.2024). Third parties were able to access customer data in the credit applications if they were aware of the customer's personalized link. The authority's investigation revealed that personal data such as contact details, income, housing costs and marital status had indeed been passed on to third parties.
(Marc-Levin Joppek)
Italy: Fine for unauthorized data processing for telemarketing purposes
The Italian data protection supervisory authority has sanctioned the electricity and gas supplier E.ON Energia SpA with a fine of over 890,000 euros because the company processed personal data without an adequate legal basis for telemarketing advertising (measure of 27.11.2024, see notification of 31.01.2025).
The proceedings were based on the complaints of two individuals who had been the target of numerous unsolicited advertising calls and had asserted their data protection rights against the company without receiving a corresponding response from the company. As part of its investigations, the Italian data protection supervisory authority found that an employee of the company had incorrectly copied any consent given by the data subjects when activating electricity and gas supplies.
In the opinion of the authority, this error was caused by two weaknesses in the company's technical and organizational measures. On the one hand, the company did not have suitable measures in place to check and ensure that the consents given by the data subjects matched the information stored in its systems and therefore used personal data for telemarketing purposes without a legal basis. On the other hand, the company had breached its duty to train and monitor the persons entrusted with telemarketing activities.
Furthermore, when investigating the second complaint, the authority found that E.ON had used personal data for its telemarketing advertising that had been collected as part of a digital campaign via a form published on Facebook, even though the person in question had never created a social account on Facebook. From the authority's point of view, the company must therefore be accused of not having verified the identity of the person who forwarded the personal data to them and of not having taken any other measures to ensure that the data collected as part of their campaign came from a legitimate source.
Furthermore, as a result of a clerical error, no response was given to the data subjects' asserted rights.
In addition to the fine of 892,738 euros, the supervisory authority instructed the company to take appropriate measures in future to ensure that the processing of personal data throughout the entire processing chain complies with the provisions of the GDPR.
(Habib Majuno)