Newsletter data protection
On May 16, 2025, our sixth BRANDI-Data Protection Law Day will take place on the premises of Marta Herford. We cordially invite you once again! The following program awaits you:
9:00 a.m. Coffee reception
9:30 a.m. Welcome to the conference
9: 45 a.m. Keynote speech by the former Federal Data Protection
Commissioner Prof. Ulrich Kelber
10:40 a.m. Breakfast break
11:00 a.m. Panel discussion
12:10 p.m. Q&A session - We invite you to discuss with us
12:30 p.m. Lunch break
01:15 p.m. Case studies on data protection law
02:30 p.m. Farewell
02:45 p.m. Guided tour through the Marta Herford
03:45 p.m. End of the event
You have the option of registering for the event using our registration form. You can find the registration form under the following link: Registration for the Data Protection Law Day
For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.
Dr. Sebastian Meyer and the BRANDI data protection team
Topic of the month: Erasure of applicant data
The principles of data minimization pursuant to Art. 5 (1) (c) GDPR and storage limitation pursuant to Art. 5 (1) (e) GDPR mean that any data processing must be limited to what is required and personal data may only be stored for as long as is necessary for the purposes pursued. As soon as the data is no longer required, it must be deleted. In addition, the provision of Art. 17 (1) GDPR grants data subjects the right to demand the erasure of their data by the controller.
With regard to the processing of applicant data, this means on the one hand that only data that is absolutely necessary for processing the application may be requested, and on the other hand that the data from the application process may not be stored indefinitely.
ECJ: Detailed explanation obligation for automated credit rating
In its judgment of February 27, 2025, the ECJ had to deal with the requirements for meaningful information on automated decision-making within the meaning of Art. 15 (1) (h) GDPR (ECJ, decision dated 27.02.2025 - Ref. C-203/22).
In the initial dispute, a mobile phone provider refused to conclude a contract with a customer and based this on a credit assessment which had been automatically carried out by Dun & Bradstreet Austria - a company specializing in this field. In the ensuing legal dispute, the Federal Administrative Court found that the company had not provided any meaningful information about the logic involved in the automated decision-making process upon request and had therefore breached Art. 15 (1) (h) GDPR. The court involved in the enforcement of the decision then referred several questions to the ECJ regarding the specific scope of the duty to provide information.
The ECJ first stated that the wording of the legal norm covers all information that is relevant to the procedure and principles of automated processing of personal data in order to achieve a certain result. Due to the transparency requirement of Art. 12 (1) (1) GDPR, all relevant information must be provided in such a way that the data subject can understand which of their personal data is used in the context of automated decision-making and how. The complexity of the steps involved in automated decision-making does not release the controller from the obligation to provide explanations, whereby the mere transmission of an algorithm or the detailed description of each step is not sufficient.
However, the rights and freedoms of other people must be respected with regard to the information. If the controller is of the opinion that the information to be provided as part of the disclosure includes protected data of third parties or business secrets, this information must be disclosed to the competent supervisory authority or the competent court. These would then have to weigh up the conflicting rights and interests in order to determine the scope of the right of access. However, conflicting rights should not lead to the data subject being denied any information.
(Gesche Kracht)
ECJ on the calculation of fines
In its judgment of February 13, 2025, the ECJ ruled that the calculation of fines for violations of the GDPR is based on the total global turnover of a group and not on that of the individual company (ECJ, decision dated 13.02.2025 - Ref. C-383/23).
A Danish court sentenced the operator of a furniture store chain to a fine of 100,000 DK for a breach of the GDPR in relation to the storage of former customers' data. The public prosecutor's office, which was of the opinion that the calculation of the amount should be based on the total turnover of the Lars Larsen Group - the group to which the company belongs - appealed against the judgment.
In response to a request for a preliminary ruling from the court seized, the ECJ ruled that the maximum amount of a fine imposed for a breach of the GDPR is determined on the basis of the company's total global annual turnover in the previous financial year. The term “undertaking” within the meaning of Art. 83 (4) to (6) GDPR should be interpreted in conjunction with Recital 150 to mean an “undertaking” within the meaning of Art. 101 and 102 TFEU, i.e. any entity that carries out an economic activity, irrespective of its legal form and the way in which it is financed. Accordingly, from a legal perspective, an undertaking in this sense can consist of several natural or legal persons that form an economic unit.
Fines must also meet the overarching requirements of Art. 83 (1) GDPR and be effective, proportionate and dissuasive in the individual case. To assess this, it must also be taken into account whether the addressee of the fine belongs to an undertaking within the meaning of Art. 101 and 102 TFEU. The competent supervisory authority must also take certain criteria into account when deciding on a fine in accordance with Art. 83 (2) GDPR. According to the ECJ ruling, the interpretation of Art. 83 GDPR is also applicable if the infringements of the GDPR are not punished by the supervisory authorities but by a national court. According to Art. 83 (9) GDPR, fines imposed by national courts must also have the same effect as those imposed by the supervisory authorities.
(Gesche Kracht)
BGH: Compensation for unsolicited e-mail advertising
On January 28, 2025, the Federal Court of Justice ruled that unsolicited advertising emails do not in themselves trigger a non-material claim for damages under Art. 82 (1) GDPR (BGH, decision dated 28.01.2025 - Ref. VI ZR 109/23).
In January 2019, the plaintiff had purchased stickers from the defendant with the inscription “Begging and peddling prohibited” for his letterbox. In the following year, he received an advertising email from the defendant stating that the full service was also available during the coronavirus pandemic. The plaintiff had not previously consented to receiving advertising. The plaintiff objected to this processing of his personal data on the same day by email and, in addition to submitting a cease-and-desist declaration with a penalty clause, also demanded payment as “damages for pain and suffering” from the defendant in the amount of 500 euros in accordance with Art. 82 (1) GDPR. After the defendant failed to respond, the plaintiff took legal action to enforce his claim for injunctive relief and payment.
After his application for injunctive relief had already been granted at first instance, but was also unsuccessful before the Court of Appeal, the plaintiff pursued his application for payment with his appeal before the BGH. Also without success, as the BGH has now ruled. Although the sending of the advertising email could be considered a breach of the GDPR, this in itself was not sufficient to justify non-material damages within the meaning of Art. 82 (1) GDPR. In addition to the data protection breach, the plaintiff must also be able to prove specific non-material damage. As a rule, both the loss of control over one's own personal data and the justified fear of a person that their personal data will be misused by third parties due to a breach of the GDPR may be sufficient to justify such non-material damage. In the context of the infringement at issue, however, this would at least have required that the defendant had also made the plaintiff's data accessible to third parties by sending the advertising email, or that the plaintiff could have substantiated his expressed fear of a loss of control. The plaintiff did not succeed in providing this evidence. In contrast, the mere assertion of a fear without proven negative consequences was just as insufficient as a purely hypothetical risk of misuse by an unauthorized third party.
(Habib Majuno)
BFH: Obligation to provide information even in the case of disproportionate effort
In its ruling from January 14, 2025, the Federal Fiscal Court (BFH) decided that a public authority does not have the right to refuse a request for information from a data subject in accordance with Art. 15 GDPR with reference to a disproportionate effort (BFH, decision dated 24.01.2025 - Ref. IX R 25/22). A corresponding restriction of the right of access does not arise from the GDPR and, in the specific case, also not from the provisions of national law.
It was disputed to what extent the plaintiff could demand information from the defendant (a tax office) in accordance with Art. 15 GDPR. In particular, the plaintiff requested that the tax office be ordered to provide him with a copy of the personal data subject to the processing. The tax office in question had previously refused to do so, citing disproportionate costs, and instead only granted access to the files.
In contrast, the BFH found that the GDPR does not restrict the right of access in the context of the request for information under Art. 15 GDPR and granted the plaintiff's request.
According to Art. 14 (5) (b) GDPR, the controller does not have to comply with its information obligations under the GDPR if this would involve a disproportionate effort. However, this only applies with regard to the information obligations within the meaning of Art. 14 GDPR and is not applicable by analogy to the request for information.
In particular, the right of access is not subject to the general reservation of proportionality and cannot be rejected as excessive simply because the data subject requests information about their personal data without restricting this request in terms of subject matter or time.
(Habib Majuno)
OLG Dresden on the claim for damages in the event of data leakage
In one case, the Higher Regional Court of Dresden had to deal with the question of whether a claim for damages under Art. 82 GDPR can also exist if the information affected by a data protection breach has already been the subject of non-compliant data protection processing in the past (OLG Dresden, decision dated 08.01.2025 - Ref. 4 U 812/24).
The plaintiff demanded compensation from the defendant pursuant to Art. 82 GDPR for the damage she had suffered as a result of a data protection breach by the defendant in June 2020. As a result, she had lost control of the personal data affected by the breach (in particular her email address) and must now be concerned about any misuse of data.
However, the Dresden Higher Regional Court did not follow this argument and denied the plaintiff's claim for damages. In the case at issue, the plaintiff had already lost control of her email address many years before the data protection incident in June 2020 due to a total of seven other data protection incidents in the period from 2008 to 2019. Under these circumstances, it could not be assumed that the plaintiff's fear that her email address could be misused was specifically attributable to the data protection incident at the defendant in June 2020. In view of the loss of control that had already occurred between 2008 and 2019, it was not plausible that the fear of misuse of the data had been triggered by the data protection incident in June 2020.
(Habib Majuno)
OLG Hamm: Compensation for damages due to Facebook scraping
In a case of data scraping on Facebook, the Higher Regional Court of Hamm sentenced the operator of the social network to pay damages in the amount of 200 euros on December 20, 2024 (OLG Hamm, decision dated 20.12.2024 - Ref. 11 U 44/24). The ruling focused on the proof of causal immaterial damage.
As a result of a default setting that the court described as data-unfriendly, user profiles could be searched for via the mobile phone number using the public search function in the social network. This constituted unlawful data processing. The plaintiff argued that he had suffered a loss of control with regard to his mobile phone number and the name assigned to it and was psychologically burdened by fears and concerns regarding the handling of his data and spam contacts, which is why there was immaterial damage.
In this respect, the OLG refers to the case law of the ECJ on non-material damages, according to which the loss of control over one's own data can also constitute non-material damage within the meaning of Art. 82 (1) GDPR. In the specific case, the plaintiff had demonstrated damage by describing a massive volume of spam text messages and calls since the publication of the scraped data. He had also credibly described his insecurity and concerns regarding the use of his telephone number. Spam calls had also reached him in situations such as when he was driving, in which their receipt alone would be stressful.
With regard to the assessment of damages, the sensitivity of the personal data concerned and its typical intended use must be taken into account in particular. The loss of control here was limited to data that was not particularly sensitive, but the publication of the data on the darknet had increased the risk of misuse and the duration and termination of the loss of control could hardly be influenced by the plaintiff apart from a change of telephone number, which is why the court considered the sum of 200 euros to be appropriate.
(Gesche Kracht)
LG Stade: unauthorized advertising in autoreply e-mails
On October 30, 2024, the Stade Regional Court ruled that the mention of a product in an email together with the wording that only “high-quality products are sent” is to be classified as advertising (LG Stade, decision dated 30.10.2024 - Ref. 4 S 24/24; MMR 2025, 153).
The plaintiff had received a confirmation message in response to an inquiry about a voucher in which, among other things, reference was made to individual products in combination with the information that “only high-quality products would be sent”. The Stade Regional Court stated that the confirmation message constituted advertising, as the term “advertising” is to be understood broadly and covers any measure aimed at promoting sales. Indirect sales promotion in the form of image advertising was also covered in this respect.
The fact that the email consisted only in part of advertising and in part of the permitted confirmation of receipt of the request did not indicate otherwise. The court also ruled that the plaintiff's inquiry with the request for a reply could not be interpreted as consent to receive advertising, which is why the sending was unlawful in the absence of corresponding consent from the data subject. It should be taken into account that the plaintiff was only comparatively slightly affected by the unsolicited advertising, as the advertising was recognizable as such. However, this was precisely why it was not a trivial matter. The plaintiff had to read the entire email in order to distinguish between the confirmatory and the advertising part. This was not a great effort. However, the ease of sending and its favorable advertising effect as well as the fact that the plaintiff cannot defend himself against receiving it must also be taken into account. In addition, the assessment of Section 7 (2) UWG must also be taken into account.
(Christina Prowald)
Changes with regard to data protection responsibility for Meta Business Tools
The European Court of Justice (ECJ) has already ruled in a judgment from 2018 that operators of Facebook fan pages can be (jointly) responsible for data processing by the Facebook provider Meta (ECJ, decision dated 05.06.2018 - Ref. C-210/16). Operators of a Facebook fan page must therefore conclude a joint controllership agreement with Meta.
Subsequently, Meta initially took the view that joint controllership applies to Facebook fan pages, but not to Instagram, even though similar data processing can take place on an Instagram account used for business purposes as on a Facebook fan page (we reported on this in our data protection newsletter in October 2020). Meta has therefore not offered to conclude a joint controllership agreement for Instagram in the past.
This has now changed. According to its new terms of use, Meta assumes that for the Meta Business Tools, which also include functions such as Instagram Insights, there is partly data processing, partly joint responsibility and partly separate responsibilities. In the meantime, an agreement on joint responsibility and an agreement on data processing are also offered for conclusion with business users for the Meta Business Tools.
In Meta's opinion, the processing of contact information for matching with user IDs for combination with event data and the processing of event data for measurement and analysis services should constitute data processing by Meta. The joint controllership relates to personal information in event data concerning the use of websites and apps with integrated business tools. In Meta's opinion, there is independent responsibility for all other data processing.
Data controllers should take this as an opportunity to review their privacy policies with regard to the correct presentation of data protection responsibilities for meta business tools. Changes may be required for Instagram in particular. If necessary, the descriptions should be updated, whereby the data protection officer can provide support in case of doubt.
(Johanna Schmale)
EU Data Boundary for the Microsoft Cloud
Microsoft has announced that it has completed the expansion of its EU Data Boundary for its cloud services (update from 26.02.2025). The EU Data Boundary is a voluntary commitment by Microsoft to process customer data, personal data and professional services data related to Microsoft Enterprise Online Services, including Azure, Dynamics 365, Power Platform and Microsoft 365, within the borders of the European Union (EU) and the European Free Trade Association (EFTA). Despite this basic obligation, Microsoft points out in its updated information that it is still possible that some of the data will still be transferred to locations outside the EU data border. This may include diagnostic data, for example, if its collection is activated. In some cases, an active configuration of the systems is also required for Microsoft to process the data within the EU data protection border.
(Christina Prowald)
LfD Lower Saxony: Risks associated with the use of DeepSeek
The State Commissioner for Data Protection (LfD) of Lower Saxony has pointed out the data protection risks associated with the use of the Chinese AI tool (press release no. 05/2025). It can currently be assumed that the tool does not meet the requirements of the GDPR and the AI Regulation. The provider's privacy policy states, for example, that all information and documents fed into the tool are recorded, transmitted, stored and analyzed without restriction. DeepSeek also points out that it is obliged to pass the data on to the Chinese secret service and security authorities. The State Commissioner for Data Protection of Lower Saxony, Denis Lehmkemper, commented as follows: "Chinese companies must also handle the data of European citizens in accordance with the law when they offer their apps in Europe. We have to assume that DeepSeek still has a lot of catching up to do in terms of data protection." More detailed information on the use of DeepSeek can also be found in a recommendation from the LfD Lower Saxony.
(Christina Prowald)
EDPB: Expertise on the implementation of data subjects‘ rights when using AI
As part of the project “AI: Complex algorithms and effective data protection supervision”, the European Data Protection Board (EDPB) published an expert opinion by external expert Dr. Kris Shrishak on the effective implementation of data subjects' rights in data processing involving AI at the end of January.
In his expert opinion, Dr. Shrishak begins by explaining that the implementation of the right to rectification and the right to erasure in the AI context in particular poses various challenges. He then shows that AI systems can be designed in such a way that compliance with the deletion requirements under data protection law is generally possible. For example, the data to be deleted can be removed from the AI model and the system can then be retrained with the remaining data. This is a good approach for small models, but would cause difficulties for larger systems and could result in a loss of system performance. There are also various approaches for the system to unlearn the data to be deleted, although not all of them are sufficiently effective. In this context, the expert also points out that data protection correction and deletion obligations can only be prevented by using completely anonymized data as part of the training and use of the AI system. In the event that personal data is to be used to develop an AI system, he recommends comprehensive documentation, in particular of updates and changes to the AI model, in order to be able to comply with data subject requests for rectification and erasure.
(Christina Prowald)
Spain: Fine of 4 million euros against insurance company
The Spanish data protection supervisory authority (Agencia Española de Protección de Datos, AEPD) has imposed a fine of 4 million euros on the insurance company Generali España in a decision dated December 10, 2024. The reason for this was a data protection incident caused by security breaches.
The incident was a hacker attack that had been ongoing since September 19, 2022, and was discovered on October 5, 2022. Generali España only reported an attack on its systems in November 2022. During the attack, hackers gained access to the systems and thus also to personal data of former customers. On October 6, 2022, the user account of an insurance broker that enabled the attack was identified in a customer portal, whereupon the login details were changed and the attack was stopped. The insurance company initially assumed that only 37 people were affected. However, on November 11, 2022, it became known that personal data, including names, date of birth, place of birth, marital status, copies of ID cards, addresses, telephone numbers and bank details, had been sold via a Telegram group. As proof of this, a sample of over 24,000 data records was seized, confirming that the data was affected.
The AEPD found several violations of the GDPR, including a lack of technical and organizational measures and a data protection impact assessment. According to the fine notice, one million euros of the fine results from a breach of the principle of integrity and confidentiality of personal data (Art. 5 (1) (f) GDPR), 2 million euros from a breach of Art. 25 GDPR (data protection through technology design and data protection-friendly default settings) and one million euros each for a breach of the requirements of security of processing and the implementation of a data protection impact assessment (Art. 32 and Art. 35 GDPR). As Generali España paid immediately without acknowledging liability, the total amount was reduced by 20 percent to four million euros, which is possible under Spanish administrative procedure rules. The authority also ordered the insurance company to complete the data protection impact assessment within three months.
In its decision, the supervisory authority not only took into account the aforementioned breaches, but also Generali España's handling of the data protection incident. The case makes it clear that companies must take appropriate technical and organizational measures to protect their data and analyze the risk of processing in advance, especially in the case of extensive processing of sensitive data. If a data breach nevertheless occurs, any reporting and notification obligations must be examined in detail and implemented.
(Johanna Schmale)