Newsletter data protection
Our Data Protection Law Day is coming up this month (specifically on May 16, 2025), which we have been preparing intensively over the past week. We have a varied program with interesting presentations by renowned speakers, exciting discussions and practical case studies. This year's program will also be rounded off by a cultural supporting program.
Anyone who has not yet registered and is interested can still register. This applies to both on-site participation at Marta Herford and online participation.
The following program awaits you:
9:00 a.m. Coffee reception
9:30 a.m. Welcome to the conference
9:45 a.m. Keynote speech by the former Federal Data Protection Commissioner Prof. Ulrich Kelber
10:40 a.m. Breakfast Break
11:00 a.m. Panel discussion
12:10 p.m. Q&A session - We invite you to discuss with us
12:30 p.m. Lunch break
01:15 p.m. Case studies on data protection law
02:30 p.m. Farewell
02:45 p.m. Guided tour of the Marta Herford
03:45 p.m. End of the event
The registration form for the event can be found online at the following link: Registration for the Data Protection Law Day
For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.
Dr. Sebastian Meyer and the BRANDI data protection team
Topic of the month: Deep Seek
The AI tool DeepSeek has caused quite a stir and made headlines in recent months. When the Chinese provider of the tool unveiled its latest AI model in January 2025, the question of whether China had achieved a breakthrough in the field of artificial intelligence led to a drop in the price of technology shares of American companies. DeepSeek has since been seen as a competitor to ChatGPT, the product of the leading American provider OpenAI. Shortly afterwards, the media reported on a data leak at DeepSeek, as a result of which a large number of data records were said to have been accessible on the internet without being secured.
Many companies are currently faced with the question of whether and how they can use DeepSeek in a data protection-compliant manner. This article contains an overview of the key legal requirements and a data protection classification of the various framework conditions of DeepSeek, which ultimately results in an assessment of the data protection-compliant usability of DeepSeek.
ECJ: Data of the managing director of a legal entity falls within the scope of the GDPR
In its ruling of April 3, 2025, the ECJ had to deal with the applicability of the GDPR to data of representatives of a legal entity following a referral from a Czech court (ECJ, decision dated 03.04.2025 - Ref. C-710/23).
The initial dispute concerned a request for information from the Czech Ministry of Health regarding contracts concluded by the Ministry for the purchase of Covid-19 tests and related certificates. The Ministry had subsequently sent the certificates for the tests to the applicant, but redacted the information on the natural persons who had signed the certificates on behalf of the legal entities concerned, which was justified by the protection of personal data under the GDPR.
In particular, the referring court was faced with the question of whether the data of the natural persons representing the legal persons constitute personal data within the meaning of Art. 4 No. 1 GDPR if they serve exclusively to identify who is authorized to act on behalf of the legal person. The ECJ first clarified that, according to established case law, the wording “any information” in Art. 4 No. 1 GDPR for the definition of personal data indicates the legislator's aim to give the term a broad meaning. It potentially covers all objective and subjective information about the person in question. Accordingly, information - at least the name and signature - about identified or identifiable natural persons who are authorized to represent the company as a corporate body or member of a corporate body are also personal data within the meaning of Art. 4 No. 1 GDPR. The context of professional activity in which the data is located does not preclude it from being personal data. An exclusion of the application of the GDPR also does not arise from the purpose of the processing (namely the identification of the authorized representatives of a legal entity), since the concept of processing pursuant to Art. 4 No. 2 GDPR does not provide any indications for making the classification as processing dependent on the purpose.
(Gesche Kracht)
BGH allows information on shareholders and shareholdings
In an appeal against denial of leave to appeal, the Federal Court of Justice had to deal with the question of whether shareholders in a public company are entitled to have the company disclose the names and addresses of the co-shareholders and the amount of their shareholding as part of a request for information. Specifically, a shareholder wanted to know who else held an interest in a fund company as a limited partner and to what extent, so that an offer could be made to these co-shareholders to take over their shares. The company refused to disclose the data, arguing, among other things, that the information could not be provided for data protection reasons. The company had already been ordered to provide information in the lower courts, and the BGH confirmed this assessment (BGH, decision dated 22.01.2025 - Ref. II ZB 18/23).
The BGH justifies this by stating that shareholders who participate in a company must expect that their co-shareholders will also learn their identity, address and shareholding amount. This data is necessary for the exercise of membership rights in the company, so that the data processing can be based on Art. 6 (1) (b) GDPR. This also applies in principle to fiduciary constellations, which is why the participation data was not publicly accessible in the specific case. In any case, an obligation to provide information must be assumed if it is clear what the data is required for and that there is no other, more data protection-friendly arrangement.
(Dr. Sebastian Meyer)
BGH comments again on claims for damages under Art. 82 GDPR
In its ruling of February 11, 2025, the BGH again dealt with the claim for damages under Art. 82 (1) GDPR and its requirements (BGH, decision dated 11.02.2025 - Ref. VI ZR 365/22). Specifically, it dealt with the question of when a compensable non-material claim for damages can be assumed.
The parties were in dispute by way of an action for a declaratory judgment regarding a claim for damages due to a breach of the GDPR. The plaintiff, a federal civil servant, criticized the fact that her personal data was processed by employees of the state of Lower Saxony. The administration argued that federal civil servants and state civil servants were in principle equally obliged to maintain confidentiality and secrecy; it would therefore make no difference to the data subject (the plaintiff) by whom the data was processed. The Federal Court of Justice has contradicted this view and clarified that the handling does not fall under Section 111a BBG a.F. in conjunction with Section 26 BDSG in conjunction with Art. 88 GDPR, which constitutes the processing of personal data by third parties. Furthermore, the BGH assumed that there was damage in the form of the loss of control caused by the transfer of personnel files. The BGH refers here to the case law of the ECJ (e.g. ECJ, decision dated 04.10.2024 - Ref. C-200/23; decision dated 20.06.2024 - Ref. C-590/22), which considers even the mere loss of control to be compensable non-material damage. A further violation of personal rights or impairment of a certain weight is not required. The BGH did not have to decide on the specific amount of damages because the action was only aimed at establishing that, in principle, the damage incurred is to be compensated.
(Gesche Kracht)
BGH on the prosecution under competition law of inadequate data protection information
In its ruling of March 27, 2025, the BGH clarified that consumer protection associations can take action under competition law against the violation of data protection information obligations pursuant to Art. 12 (1) (1), Art. 13 (1) (c) and (e) GDPR (BGH, decision dated 17.03.2025 - Ref. I ZR 186/17).
The plaintiff in the proceedings is the German Federation of Consumer Organizations (vzbv), which is registered in the list of qualified entities pursuant to Section 4 UKlaG. The defendant was Meta Platforms Ireland Limited (Meta) as the operator of Facebook and other online services. Meta operates an “app center” on its Facebook internet platform, which makes free games from third-party providers available to users. The consumer association objected to the information on data transfer as unfair in accordance with Section 8 (1) UWG due to, among other things, a breach of statutory requirements for obtaining effective consent under data protection law. In the initial proceedings, the vzbv therefore wanted to prohibit Meta from presenting games in such a way that by clicking on the “Play game” button, consumers simultaneously declare that the game operator receives personal data and is authorized to post information on behalf of the consumer.
Individual questions regarding the compatibility of national regulations on the actions of associations with Art. 80 (1) and (2), Art. 84 (1) GDPR have already been referred to the ECJ for a preliminary ruling. In previous case law, the ECJ had ruled that Art. 80 (2) GDPR can be a suitable basis for the prosecution of GDPR infringements by associations under the UWG and the UKlaG. The plaintiff is entitled to bring such an action under Section 8 (3) No. 3 UWG and Section 3 (1) (1) No. 1 UKlaG. The presentation of the app center violates the now applicable Art. 12 (1) (1), Art. 13 (1) (c) and (e) GDPR, according to which the controller must take appropriate measures to provide the necessary information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. It would not be clear which data would be released, the purpose of the transfer and what would happen to the data at third parties. By agreeing to post, the user loses all control over the whereabouts and use of their data. The link to the data protection conditions was not sufficient to inform the user of the consequences of the decision.
The breach of the information obligations under data protection law also constitutes a breach of fair trading law in the form of the withholding of essential information pursuant to Section 5a (1) UWG (new version). Against the background that the GDPR also contains provisions on the free movement of personal data in addition to protective provisions, the information obligations are also intended to ensure that the consumer with consent to the processing of personal data, which is linked to a demand decision, is informed about the scope and impact of the declaration of consent.
(Gesche Kracht)
LG Berlin: Damages for unauthorized use of Meta Business Tools
On 4 April 2025, the Berlin II Regional Court ordered Meta to provide information, delete or anonymize data and pay damages in a total of six cases (press release dated 07.04.2025).
The parties to the lawsuit are all objecting to data processing by Meta Business Tools. These tools read and record all digital movements on websites and apps of all Facebook and Instagram users and link the collected data to a user account once it has been created. In this way, profiles can be created about people that record their political and religious views, sexual orientation or health data. According to the press release, it is estimated that Meta Business Tools are used on at least 30-40% of websites worldwide and against the explicit will of the users. Meta claims that the third-party companies are responsible for the installation and use of Meta Business Tools and therefore also for the disclosure of the data. The company's own use of the data only takes place with consent or for security purposes. At the hearing, the Berlin II Regional Court pointed out that the plaintiffs were entitled to information because Meta had stored the personal data to create the profiles, as well as a claim for deletion or anonymization due to the unlawful data processing and claims for damages pursuant to Art. 82 GDPR. The judgments are not yet final.
(Gesche Kracht)
AG Mainz: Complaint of data protection violations for customer acquisition abusive
On February 18, 2025, the Mainz District Court ruled that the complaint of data protection violations as a strategy for customer acquisition for online marketing is an abuse of rights and does not give rise to any claims under data protection law (AG Mainz, decision dated 18.02.2025 - Ref. 88 C 200/24).
The plaintiff is active in the field of online marketing and offers, for example, the creation of a professional website. As a customer acquisition strategy, he visited a large number of dentists' websites - including that of the defendant - and sent them an email pointing out alleged data protection violations on the website and offering his own services. When there was no response, the plaintiff asserted a request for information pursuant to Art. 15 GDPR, which the defendant refused with reference to Art. 12 (5) (b) GDPR. Similar proceedings by the plaintiff against dentists are ongoing in 27 other cases.
The court did not consider the plaintiff's claims to be valid. In principle, the scope of application of the GDPR was opened and the plaintiff could be entitled to data subject rights, however, the defendant had effectively raised the objection of abuse of rights (Section 242 BGB), which is also recognized in Union law. According to Art. 12 (5) GDPR, the controller may refuse to act in the event of manifestly unfounded or excessive requests from a data subject. By asserting the data subject's rights, the plaintiff was pursuing extraneous motives in the form of generating revenue. The court was convinced that the plaintiff had used a breach of the GDPR, once discovered, as a business model to generate income, if not by concluding a contract with the defendant, then by pursuing monetary claims. This is also supported by the plaintiff's mass approach.
(Gesche Kracht)
DSK: Data protection demands on the future federal government
At its meetings on March 26 and 27, 2025, the Data Protection Conference (DSK) of the supervisory authorities made demands of the future German government for a digital future based on freedom and fundamental rights (press release from 27.03.2025).
The German government must promote digitalization in Europe and ensure human-centric data usage. A number of key points were agreed at the conference: The amendment to the Federal Data Protection Act, which had already been recently sought, is to be finalized, as is a legislative project on employee data protection. When further developing security laws, compatibility with fundamental rights should be systematically examined in view of the increasing use of automated data analysis, for example. The Chairwoman of DSK 2025, Meike Kamp, commented: “Data protection is a central foundation of democracy and the basis for freedom of expression and political participation. Data use and data protection must go hand in hand. [...] The future German government is therefore urgently called upon to act in a way that is sensitive to fundamental rights and in accordance with the constitution when expanding police and intelligence service powers.”
Furthermore, the DSK sees a need for improvement in the harmonization of European digital legal acts with the GDPR for a coherent legal framework. The DSK also calls for the creation of regulations for the research and development of AI. Finally, it calls on the German government to take into account the criteria for sovereign clouds and to further expand the data protection cockpit.
(Gesche Kracht)
EDPB adopts guidelines on the processing of personal data by blockchains
At its meeting on April 14, 2025, the European Data Protection Board (EDPB) adopted its guidelines on the processing of personal data using blockchain technology (Guideline 02/2025) (press release of 14.04.2025).
Blockchain is generally understood to be a system that implements a distributed and consistent database without central administration and coordinated use according to an agreed set of rules. It can be used to confirm transactions or determine who was the owner of a digital asset at a certain point in time. Blockchains can also support the secure handling and transfer of data. In view of the spread of the technology, the EDPB's guideline aims to help users of blockchains to use them in compliance with the GDPR.
The guideline first describes the functional relationships and structures of blockchains. It then goes into more detail about data processing in the context of blockchain use. The guideline emphasizes the importance of technical and organizational measures already at the development stage. Before processing data using blockchain technology, a data protection impact assessment should be carried out if the data processing is associated with a high risk. The guideline provides examples of different types of data minimization as well as the handling and storage of data. Finally, the rights of data subjects are discussed. Comments on the guideline can be submitted until June 9.
(Gesche Kracht)
BfDI presents 33rd activity report
On April 10, 2025, the current Federal Commissioner for Data Protection and Freedom of Information (BfDI) Prof. Dr. Specht-Riemenschneider presented the 33rd activity report (press release 3/2025 of 10.04.2025).
Overall, the statistics show an increased awareness of the issue of data protection. Compared to the previous year, there was an increase in all subject areas with a total of 8,670 complaints. Inspections as well as advice and information visits remained constant and the range of advice on offer was expanded. Particularly in the area of digital health, for example as part of the introduction of the electronic patient file, one can look back on significant successes in the past year, in which the rights of those affected were strengthened and compliance with information obligations was ensured. The AI Regulation was also adopted last year, and the regulations must be reconciled with data protection law. The BfDI continues to pursue a strategy of early dialog with all parties involved and invites them to exchange ideas.
Similar to the demands of the DSK, the central recommendations of the activity report include the resumption of legislative initiatives on employee data protection and the amendment of the BDSG and the creation of a legal basis for the training of AI. Also the practical implementation of the national parliament's broad understanding of transparency in the context of administrative digitization, the introduction of a reporting obligation for security breaches, the creation of a legal basis for military intelligence and the commitment to a revision of the EU draft regulation on chat control in line with fundamental rights.
(Gesche Kracht)
HmbBfDI on guest access in online trading
The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) was able to enforce improvements to the obligation to allow guests to place orders in online shops by conducting a review independent of complaints (press release of 12.03.2025).
In its decision from 2022, the DSK had already determined that online retailers may not oblige their customers to create a customer account, as this would violate the principle of data minimization, but that it must also be possible to place guest orders without permanent registration (decision of 24.03.2022). In January 2025, the HmbBfDI reviewed relevant online stores in Hamburg in light of this. The majority of the websites reviewed contained corresponding options. In one case, the HmbBfDI was able to ensure that the guest ordering option was set up after being requested to do so.
According to the DSK, exceptions to the obligation to place guest orders can be permitted if the requirement is implemented through other measures. A mail order company that operates as an online marketplace referred to this. The service could be handled much more efficiently here via a standardized customer account and alternative measures would be taken. The HmbBfDI therefore considered the requirements for an exception to be met, which was confirmed by the Higher Regional Court of Hamburg (OLG Hamburg, decision dated 27.02.2025 - Ref. 5 U 30/24, GRUR-RS 2025, 3406).
The HmbBfDI has announced that it will continue its reviews. In cases of doubt, online retailers should generally assume that they are obliged to set up guest access.
(Gesche Kracht)
Great Britain: Fine of almost 3.1 million pounds imposed
On March 25, 2025, the Information Commissioner's Office (ICO) in the UK imposed a fine of 3.076 million GBP on Aston Midco Limited and its subsidiaries, Advanced Computer Software Group Limited and Advanced Health & Care Limited (decision dated 26.03.2025).
Advanced offers IT services in various sectors, including healthcare, legal and education. The company provides software for patient management and clinical decision support, for example.
A hacker had exploited a security vulnerability - known as ZeroLogon - which makes it possible to bypass authentication and gain administrator rights. The National Institute of Standards and Technology (NIST) had classified the vulnerability as a significant security risk in the past and advised users to install updates as soon as possible. Microsoft had already made corresponding security patches available in 2020. Despite being aware of the risk, Advanced Health & Care had failed to implement appropriate technical and organizational measures to ensure an adequate level of security and continued to lack effective vulnerability management. The ICO considered this to be a breach of Art. 32 UK GDPR.
As a result of the attack, the data of 82,946 people was accessed, including medical records, which are considered to be particularly protected. The fine was imposed on the parent company of the Advanced companies on the basis of Art. 82, Art. 83 (2) (d) UK GDPR.
(Gesche Kracht)