Newsletter data protection

Dear readers,

We cordially invite you to our Data Protection Law Day on May 24, 2024!

Since the GDPR came into force, some data protection issues in connection with the application of the GDPR have been fully or at least partially clarified. Other questions and problems continue to arise or are even completely new.

We would like to use the 5th BRANDI Data Protection Law Day to discuss issues relating to the rights of data subjects, the consequences of data protection violations and data protection and new technologies with you and external experts. This year, our event will take place at the Heinz Nixdorf Museumsforum on the premises of the Fachhochschule der Wirtschaft. We would be delighted to meet you in person in Paderborn. In addition, there is once again the opportunity to participate passively online in our Data Protection Law Day.

We were once again able to attract renowned experts for the event. This year, Dr. Thilo Weichert, former head of the data protection supervisory authority in Schleswig-Holstein (ULD), and Prof. Dr. Eckhard Koch, cyber security expert, will be our guests and help shape our Data Protection Law Day.

Two keynote speeches will be followed by a moderated discussion round to explore the various questions and topics in greater depth. At our Data Protection Law Day, we will deal with the following aspects, among others:

Further information about the event and how to register can be found on our homepage.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Data erasure - Online and Offline

In connection with the storage or other retention of data and its erasure, it is often said that erased data is the most secure data. This statement refers in particular to the principle of storage limitation pursuant to Article 5 (1) (e) GDPR, one of the key principles of data protection law. Accordingly, personal data may only be stored or otherwise retained for as long as necessary for the purposes pursued. As soon as the data is no longer required, it must be erased in accordance with Article 17 (1) GDPR. The erasure requirements are intended, among other things, to prevent personal data from falling into the hands of unauthorized third parties or being misused in any other way.

There is often a conflict between the obligation to erase or destruct data and the company's interest in continuing to store it. Various questions arise in this context: How long may personal data be stored? What is meant by the terms "erasure" and "destruction"? What needs to be considered when erasing data from online systems? And what applies with regard to the destruction of data carriers and paper documents?

To the complete main topic

European Parliament approves AI regulation

On March 13, 2024, the European Parliament approved the Artificial Intelligence Act after the Parliament and Council agreed on the final text in December 2023. The AI Regulation was adopted by MEPs by a large majority (press release dated 13.03.2024).

The new provisions of the AI regulations are intended to protect fundamental rights, democracy and the rule of law as well as health, safety and the environment from high-risk AI systems, while also promoting innovation and ensuring that the EU takes a leading role in the field of artificial intelligence. To this end, the regulation provides for various obligations for AI systems, depending on the respective risks and impacts. Systems classified as high-risk include those used in critical infrastructure, education, training or employment and those used for private and public services, in certain areas of law enforcement and in relation to migration and border management, justice and the democratic process. Such systems must assess and reduce risks, keep usage logs, be transparent and accurate, and be supervised by humans.

Brando Benifei, co-rapporteur of the Internal Market Committee, said: "We finally have the world's first binding law on artificial intelligence to reduce risks, create opportunities, combat discrimination and ensure transparency. Thanks to the Parliament, unacceptable AI practices will be banned in Europe and the rights of workers and citizens will be protected. The European Artificial Intelligence Office is now being set up to help companies comply with the regulations before they come into force. We have ensured that people and European values are at the forefront of the development of artificial intelligence."

The regulation is now undergoing a final review by legal and linguistic experts and must then be formally adopted by the Council. The regulations then enter into force 20 days after publication in the Official Journal of the EU and - with various exceptions - are applicable 24 months after entry into force.

(Christina Prowald)

ECJ: 2,000 euros in damages for unauthorized processing of intimate conversations

In its judgment of March 5, 2024, the European Court of Justice (ECJ) awarded a plaintiff a claim for damages in the amount of 2,000 euros against Europol due to unlawful data processing, which was expressed in the disclosure of intimate conversations between the plaintiff and his girlfriend to unauthorized persons (ECJ, decision dated 05.03.2024 - Ref. C-755/21 P). The unlawful data processing had violated the plaintiff's right to respect for his private and family life and his communication and had impaired his honor and reputation, causing him non-material damage.

As part of an investigation into the murder of a journalist and his fiancée, the Slovakian authorities requested Europol to extract data stored on phones allegedly belonging to the plaintiff. After Europol sent its reports and a hard disk with the extracted encrypted data to the Slovakian authorities, the Slovakian press published information taken from the phones, including intimate conversations of the plaintiff. The plaintiff then demanded compensation of 100,000 euros from Europol. Europol, on the contrary, argued that the damaging event could not be attributed to it, as it had duly handed over the information to the Slovakian authorities. The action was dismissed by the General Court of the European Union (EGC), which the plaintiff contested.

The ECJ has now established that EU law provides for joint and several liability between Europol and the Member State in which the damage occurred as a result of the unlawful data processing. In order to assert this liability, the data subject only has to prove that unlawful data processing has occurred during the cooperation between Europol and the Member State, which has led to damage. Contrary to the opinion of the EGC, it is not necessary for the data subject to prove to which of the two bodies the data processing in question is attributable. The ECJ subsequently awarded the plaintiff damages in the amount of 2,000 euros. The decision is interesting, among other things, because the ECJ otherwise rarely has to decide on the specific amount of damages and usually only has to answer abstract questions referred for a preliminary ruling. The amount awarded by the ECJ is relatively low considering the disclosed content, especially in comparison to the award practice of some courts in relation to minor data protection violations.

(Christina Prowald)

ECJ: TC string is personal data

In its ruling of March 7, 2024, the ECJ found that the "Transparency and Consent String" (TC string) contains information about an identifiable user and is therefore personal data within the meaning of the GDPR (ECJ, decision dated 07.03.2024 - Ref. C-604/22).

If a user calls up an online offer with an advertising space, companies can place bids anonymously in real time to obtain this advertising space and display advertising tailored to the user. The user's consent is generally required for the associated data processing. IAB Europe has developed a solution to bring the auction system in line with the requirements of the GDPR. The user preferences recorded via the Consent Management Platform are encoded and stored in a TC string. This is shared with the advertising companies so that they know which data processing procedures the user has consented to. In addition, a cookie is stored on the user's device. In combination, the TC string and the cookie can be assigned to the user's IP address.

In 2022, following various complaints, the Belgian supervisory authority determined that the TC string is personal data. The ECJ has now endorsed this view, as the information contained in a TC string, if assigned to an identifier such as a user's IP address, can be used to create a user profile and identify the data subject. Even if the TC string as a combination of numbers and letters does not contain any elements that enable direct identification of the data subject, this does not change the fact that it also contains the user preferences that relate to a natural person and that the person to whom this information relates can be determined by combining it with other data.

(Christina Prowald)

ECJ on the deletion of unlawfully obtained data

The supervisory authority of a Member State may order the erasure of unlawfully processed data ex officio if this is necessary to fulfill its task of ensuring compliance with the GDPR (ECJ, decision dated 14.03.2024 - Ref. C-46/23). A prior application by a data subject within the meaning of Article 17 GDPR is not required in this respect, according to the ECJ in its ruling of March 14, 2024.

In order to provide financial support to persons belonging to a group at risk from the Covid-19 pandemic, the Ujpest local government requested the Hungarian State Treasury and the competent authorities to provide it with the personal data required to check the eligibility criteria. The Hungarian State Treasury and the competent authorities complied with this request. The Hungarian supervisory authority then found that the parties involved had violated the GDPR, as the data subjects were not informed about the data transfer and further data processing. It subsequently imposed fines and ordered the Ujpest administration to delete the data. The Ujpest administration contested the decision, as it was of the opinion that the supervisory authority could only order the deletion of data if the data subjects had previously submitted a corresponding request in accordance with Article 17 GDPR.

The ECJ ruled that a supervisory authority that finds that data processing does not comply with the GDPR must remedy the breach. This applies regardless of whether data subjects have previously submitted an application, as the requirement to submit an application would mean that the controller could continue to store and unlawfully process personal data. This view is also supported by the aim of the GDPR to achieve a high level of protection for the fundamental right of natural persons to the protection of personal data concerning them.

(Christina Prowald)

BGH on the scope of the right of access under Article 15 GDPR

On February 6, 2024, the Federal Court of Justice (BGH) ruled that Article 15 (1) and (3) GDPR does not give rise to a fundamental right to disclosure of copies of the explanatory letters including attachments to premium adjustments in private health insurance (BGH, decision dated 06.02.2024 - Ref. VI ZR 15/23).

Because the plaintiff considered the contribution increases of his health insurance company to be unlawful, he demanded information from the defendant about contribution increases made in the past as well as the corresponding documents. He claimed that he did not have the relevant documents. After the Regional Court of Verden upheld the claim and the Higher Regional Court of Celle dismissed the appeal, the defendant turned to the Federal Court of Justice.

In its decision, the BGH, referring to its ruling from September 2023 (we reported in November 2023), again states that the asserted claim cannot be based on Article 15 (1) and (3) GDPR. The concept of personal data is to be understood broadly, taking into account the case law of the ECJ. However, letters from a controller to a data subject are only to be classified as personal data insofar as they also contain information about the data subject. Although individual parts of the requested documents are to be classified as personal data of the plaintiff, the documents as a whole are not personal data, so that the claim cannot be derived from Article 15 (1) GDPR. No further claim can be derived from Article 15 (3) GDPR either, as the provision only specifies the modalities for the fulfillment of the claim under Article 15 (1) GDPR. Moreover, the term "copy" contained in Article 15 (3) GDPR does not refer to a document as such, but to the personal data contained therein. A reproduction of documents or entire documents only had to be made available if contextualization was necessary to ensure their comprehensibility. However, the plaintiff had neither argued this nor was it evident in any other way.

Nevertheless, the plaintiff is entitled to information in good faith insofar as he is excusably uncertain about the existence and scope of his right.

(Christina Prowald)

BFH: Legal entity cannot assert right of access under Article 15 GDPR

According to the Federal Fiscal Court (BFH), a legal entity cannot derive any rights directly from Article 15 GDPR (BFH, decision dated 08.02.2024 - Ref. IX B 113/22). As part of a dispute before the tax court, the plaintiff GmbH requested information about personal data from the defendant tax office in the form of the provision of complete copies from the court files, the administrative and appeal files of the tax office and, if applicable, other existing files in accordance with Article 15 GDPR. The tax court rejected the request.

The BFH has now endorsed this view and found that Article 15 (1) GDPR cannot be considered as a basis for a claim. According to Article 1 (1) and (2) GDPR, the GDPR only contains provisions for the protection of natural persons. The regulation does not cover and protect the data of legal persons. In the case in question, however, the managing partner of the plaintiff did not assert the claim as a potentially affected natural person in his own name, but rather in the name of the plaintiff, i.e. a legal entity, which is why a claim under Article 15 (1) GDPR is ruled out. The provision of Section 2a (5) AO could also not justify the application of Article 15 GDPR, as the extension of the GDPR does not apply to proceedings before tax courts.

(Christina Prowald)

KG Berlin: News on the fine proceedings against Deutsche Wohnen

On January 22, 2024, the Court of Appeal (KG) in Berlin ruled that the fine proceedings against Deutsche Wohnen must be retried in the first instance (KG, decision dated 22.01.2024 - Ref. 3 Ws 250/21, 3 Ws 250/21 - 161 AR 84/21).

In September 2019, the Berlin supervisory authority imposed a fine of 14.5 million euros on the real estate company because tenant data was not stored in accordance with data protection regulations and, in particular, old data was not deleted in good time. The Berlin Regional Court of First Instance then declared the fine to be invalid on formal grounds in February 2021 (we reported on this in March 2021). In the opinion of the court, a sanction could not be considered insofar as the company could not be proven to be at fault by management personnel. The KG Berlin, which subsequently dealt with the complaint lodged by the public prosecutor's office, then referred the issue in question to the ECJ. In December 2023, the court ruled that it is not a prerequisite for the imposition of a fine to first establish that the infringement was committed by an identifiable natural person (we reported in January 2024). A synopsis of Article 4 No. 7, Article 83 and Article 58 (2) (i) GDPR shows that a fine can also be imposed on a legal person if it has the status of a controller. The breach giving rise to the fine does not have to be committed by a management body, nor does the management body have to have knowledge of the breach. The legal entity is not only liable for breaches committed by its representatives, managers or directors, but also for breaches committed by other persons acting on its behalf in the course of their business activities. However, the imposition of a fine requires a culpable breach of the GDPR.

The KG now stated that the administrative order imposing the fine fulfilled the requirements of Section 66 OWiG, taking into account the ECJ's decision. In particular, the decision does not have to specify which representative or which body is responsible for which specific act or omission. The notice described the accused actions in a sufficiently comprehensible and clear manner. The court therefore referred the case back to the regional court for a further decision on the fine.

(Christina Prowald)

LG Passau comments on transfers to third countries

In its decision of February 16, 2024, the Regional Court of Passau deals with a scraping incident in a social network and also comments on the admissibility of third country transfers (LG Passau, decision dated 16.02.2024 - Ref. 1 O 616/23).

With regard to the scraping incident, in the course of which the plaintiff's data was also accessed and published, the LG Passau denied the claims asserted by the plaintiff, as in the court's view there was no relevant breach of the GDPR. With the exception of the telephone number, the leaked information was data that the plaintiff himself had intended for publication. The plaintiff himself could restrict the findability of his telephone number. Furthermore, the plaintiff did not suffer any causal damage. Insofar as the plaintiff had claimed a feeling of discomfort and loss of control on the occasion of the incident, no damage could be derived from this.

In response to the plaintiff's allegation that the platform was forwarding all personal data to the USA and the National Security Agency (NSA) for review and investigation without cause, the court stated that it could not identify any unlawful data transfer. The platform originates from the USA and is designed globally, which is why the data for maintaining the network must inevitably be exchanged internationally and transmitted to the USA. The data transfer was therefore necessary for the performance of the contract pursuant to Article 6 (1) (b) GDPR. It is not apparent that the platform provides the NSA with all data unconditionally. The defendant had also sufficiently secured the third country transfers. The standard contractual clauses used by it constituted a sufficient legal basis. Even if the American appeal mechanism is based on a government regulation and not on formal law, the regulation is a law in the substantive sense. It is not clear why this could not provide equivalent legal protection. Since the data transfer was necessary for the performance of the contract, it was also permissible under Article 49 (1) (1) (b) GDPR. Opinions of the data protection supervisory authorities that deviate from this are not binding for the court. With regard to the right of access of US authorities, the court also stated that this was a consequence of the lawful transfer of data to the territory of the United States of America. This possibility does not prevent the guarantee of an essentially equal level of protection, as it would also be permissible under Article 6 (1) (c) GDPR.

The very clear argumentation of the court against a data protection violation by the third country transfer should be seen against the background that the court considered the claimed damages to be unjustified and that the action should be dismissed in any case. However, whether standard contractual clauses alone were sufficient as a safeguard seems questionable in light of the case law of the ECJ. However, the comment that the theoretical risk of government access in the USA does not automatically lead to illegality is also quite correct; the same applies to the comment that statements of opinion by the supervisory authorities do not have to be binding for companies - even if companies are generally well advised not to doubt the binding nature of guidelines from the supervisory authorities without necessity.

(Christina Prowald / Dr. Sebastian Meyer)

VG Bremen: Comprehensive right of access of the supervisory authority against companies

The competent supervisory authority can demand the submission of all advertising consents for the last 6 months if there is a suspicion that a company has sent unauthorized advertising by email (VG Bremen, decision dated 16.02.2024 - Ref. 4 V 2968/23; BeckRS 2024, 2203).

In this case, the supervisory authority had received several reports that the company had sent advertising by email without the required consent. As a result, the authority obliged the company to provide information on which persons were contacted for advertising purposes in the last six months and how often, as well as to submit the associated declarations of consent.

The court now stated that the supervisory authority is entitled to issue information orders in accordance with Article 58 (1) (a) GDPR and that the data controller must comply with these. With regard to the choice of specific measures, the authority has discretionary powers. The supervisory authority has the task of dealing with complaints from data subjects and investigating the subject matter of the complaint, which is why the supervisory authority was allowed to take action in the present case. The request was also not disproportionate. The interest in prosecuting breaches of data protection law outweighed the interest in uncontrolled data processing. It should also be taken into account that several affected parties have already complained about the company and that it can be assumed that there are an undetermined number of other affected parties.

(Christina Prowald)

VG Berlin on the proportionality of the right of access

On February 6, 2024, the VG Berlin ruled that the obligation to comply with a right of access under Article 15 GDPR does not cease to apply if the party obliged to provide information incurs a great deal of effort (specifically: reviewing far more than 5,000 pages of files) in order to comply with the claim (VG Berlin, decision dated 06.02.2024 - Ref. 1 K 187/21).

In the case in question, the plaintiff requested information from the defendant about the data stored about him and copies of all processes containing his data. The defendant then initially provided him with information about the data stored in the IT system. With regard to the transmission of the copies, the defendant asked the plaintiff to specify his request for information and to describe which documents or processes were specifically involved. The plaintiff then complained that the information was incomplete, as only his master data had been transmitted to him, and at the same time asserted a comprehensive claim for deletion. The defendant informed him that the plaintiff's data was part of the file and could only be deleted after the applicable retention periods had expired. With regard to the right of access, the defendant again referred to its previous request, whereupon the plaintiff filed suit.

The court stated that the right of access under Article 15 GDPR serves, among other things, to verify the accuracy of the data and the lawfulness of the processing. An abstract overview of the processed data is not sufficient for a lawfulness check. Rather, specific notification of the context in which the data was processed is required in order to be able to verify the lawfulness in each individual case. This can be achieved by providing copies in the sense of faithful reproductions. The defendant could not raise the objection of disproportionality or abuse of rights against the plaintiff's claim. The defendant did incur considerable expense in reviewing and examining the documents. However, a refusal by the controller can only be considered in the event of a manifestly gross disproportion between the efforts required and the interest in information. However, this was not the case in this instance. The plaintiff had plausibly explained that he particularly wanted to understand the disclosure to third parties in order to be able to assert further rights against them.

(Christina Prowald)

AG Lörrach: Fulfillment of the right of access must be proven by the defendant

According to the Lörrach District Court, the right of access under Article 15 GDPR also applies to audio recordings made by a company in the context of advertising calls (AG Lörrach, decision dated 05.02.2024 - Ref. 3 C 661/23).

The defendant called the plaintiff unsolicited and without consent at the end of 2022 and offered him a gas and electricity supply contract. The plaintiff subsequently declared his withdrawal. Nevertheless, he was then supplied with gas for several months, for which the defendant demanded payment. The plaintiff subsequently asked the defendant to acknowledge that the contracts had not arisen and that the claims did not exist. In addition, the plaintiff asserted his right of access against the defendant pursuant to Article 15 GDPR.

After the plaintiff argued that the claim for information had not yet been completely fulfilled because the audio recording of the telephone call in question had not yet been transmitted to him by the defendant, whereas the defendant was of the opinion that the claim had already been fulfilled, the court commented on the facts of the case. It found that the plaintiff had an undisputed claim under Article 15 GDPR to the transmission of the audio recordings. In this respect, the defendant is obliged to prove whether it has already transmitted the recordings and fulfilled the plaintiff's claim in this respect. The defendant had not submitted any corresponding evidence, which is why the court ordered the defendant to provide the plaintiff with complete information and, in particular, to transmit the data on the recorded telephone call. The court also found that the plaintiff had a claim against the defendant for reimbursement of the legal costs incurred as a result of the request for data information pursuant to Article 15 GDPR under Article 82 GDPR.

(Christina Prowald)

EU Data Protection Supervisor: Use of Microsoft 365 violates GDPR

Following an investigation, the European Data Protection Supervisor (EDPS) has found that the European Commission's use of Microsoft 365 violates several provisions of the GDPR and has imposed various remedies on the Commission (communication of 11.03.2024). In particular, the Commission has failed to take adequate measures to ensure that an equivalent level of protection is guaranteed for personal data transferred outside the EEA. In its contract with Microsoft, the Commission had also not sufficiently specified which data would be processed for which purposes.

The EDPS has therefore instructed the Commission to suspend all data transfers to Microsoft that are not covered by an adequacy decision until December 9, 2024. In addition, the Commission must ensure that the processing operations resulting from the use of Microsoft 365 comply with data protection regulations. The Commission must demonstrate compliance with the requirements by December 9, 2024.

The opinion of Wojciech Wiewiorowski as EDPS states: “It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures. This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI.”

(Christina Prowald)

German data protection supervisory authorities participate in CEF 2024

The European Data Protection Board (EDPB) has launched its Europe-wide action "Coordinated Enforcement Framework (CEF)" for 2024 (communication of 28.02.2024). At the suggestion of the Federal Commissioner for Data Protection and Freedom of Information (BfDI), the EDPB has chosen the implementation of the right of access as the topic for its third coordinated action. 31 data protection authorities in the EEA, including 7 German supervisory authorities, are taking part in the initiative.

The right of access enables data subjects to check whether their data is being processed properly by the responsible bodies. It is one of the most important and most frequently exercised data subject rights and often acts as a door opener for the assertion of further data protection rights. The EDPB guidelines on the right of access published in 2023 should help companies to meet the requirements arising from the GDPR and ensure uniform standards when responding to such requests. The "CEF" campaign will now be used to review the implementation of the topic in practice and identify any further need for awareness-raising.

To this end, the participating supervisory authorities will send out questionnaires on the implementation of the right of access, initiate investigations and, if necessary, take follow-up measures. The results will then be published in a report by the EDPB.

(Christina Prowald)