Newsletter data protection

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Legal and technical requirements for sending invoices electronically

With the Growth Opportunities Act (Federal Law Gazette I 2024 No. 108), the VAT regulations for issuing invoices in the B2B sector have been revised. All sales that occur and are invoiced from January 1, 2025 on are affected. Under the old legal situation, there was already a legal obligation to issue an invoice for a service to another entrepreneur within six months of the service being performed if the transaction was not tax-exempt under Section 4 Nos. 8 to 29 UStG. Since January 1, 2025, the legislator has obliged entrepreneurs in the B2B sector to issue invoices as electronic invoices (hereinafter: e-invoices). Until December 31, 2024, this term also included sending invoices by email (with a PDF attachment if necessary), making the invoice available for download on an online portal, sending invoices by electronic data interchange (EDI) and sending invoices by fax. The term electronic invoice or e-invoice has now been given a stricter definition in Section 14 (1) (3) UStG. According to this, an e-invoice is an invoice that is issued, transmitted and received in a structured electronic format and enables electronic processing. However, if invoices are sent in an electronic format that does not meet these requirements, for example as a PDF attachment by email or on paper by letter, they are not e-invoices as defined above, but “other invoices” within the meaning of Section 14 (1) (4) UStG

The following article will break down the implications of these changes for companies and the security requirements that electronic invoicing must now meet.

To the complete main topic

ECJ: Disclosure of data to a supervisory authority

Following a referral by a Bulgarian court, the ECJ, in its ruling of April 30, 2025, had to deal with whether the disclosure of data covered by banking secrecy of judges, public prosecutors and criminal prosecutors and their family members falls within the scope of the GDPR (ECJ, decision dated 30.04.2025 - Ref. C-313/23, C-316/23, C-332/23).

A Bulgarian supervisory authority, whose task is to investigate cases of undue influence on judges, public prosecutors or criminal prosecutors, had requested the referring court to lift banking secrecy with regard to the bank accounts of several judges, public prosecutors, criminal prosecutors and their family members. The Bulgarian court then asked itself what obligations arise from the GDPR when authorizing access to the data and whether an authorizing court should be regarded as a “controller” within the meaning of Art. 4 No. 7 GDPR or as a supervisory authority within the meaning of Art. 51 GDPR

The ECJ firstly states that the material scope of the GDPR is to be understood very broadly. The fact that information concerns judges and is related to their activities does not justify an exemption of national regulations from the scope of application. The list of exceptions in Art. 2 (2) and (3) GDPR is exhaustive. Although ensuring the proper administration of justice falls within the competence of the Member States, data processing such as that in question does not serve to safeguard national security in accordance with Art. 2 (2) (a) GDPR or any other exemption provision of the GDPR. The disclosure of personal data to the supervisory authority therefore falls within the scope of the GDPR. However, the court is neither the controller within the meaning of Art. 4 No. 7 GDPR, as this does not determine the purpose of the processing, nor the supervisory authority pursuant to Art. 51 GDPR. In addition to the supervisory authorities, the national courts are also responsible for monitoring compliance with the GDPR if an appeal has been lodged with them. However, if such an appeal pursuant to Art. 78 (1) or Art. 79 (1) GDPR has not been lodged and the courts have not been granted any explicit supervisory powers, they are not obliged to monitor and ensure the protection of data subjects and the security of personal data ex officio.

(Gesche Kracht)

BAG on digital payroll accounting

In a decision dated January 28, 2025, the Federal Labor Court had to deal with the admissibility under data protection law in addition to other questions regarding digital payroll accounting (BAG, decision dated 28.01.2025 - Ref. 9 AZR 48/24).

The parties disputed whether a payroll was effectively issued by posting it in a digital employee mailbox. The plaintiff worked for the defendant, for which a group works agreement regulated the introduction and use of a digital employee mailbox. On this basis, the defendant only made payroll available electronically, whereupon the plaintiff objected

The Court also addresses data protection aspects in its reasons for its decision. The digital provision is not already inadmissible because it is not required under data protection law. The data processing could be based on Art. 6 (1) (c) and (3) GDPR in conjunction with Section 26 (1) (1) BDSG, because it serves the employer's obligation to prepare accounts as stipulated in Section 108 (1) (1) GewO. There were also no other data protection concerns that the external provider of the mailbox would act as a processor in accordance with Art. 28 (3) GDPR. There were no indications of non-compliance with the resulting requirements. The regulation on the employee mailbox does not violate data protection law.

(Gesche Kracht)

OVG Berlin rejects claim for surrender of video recordings

On May 13, 2025, the Berlin Higher Administrative Court ruled that passengers have no claim against the operator of the public suburban train network in Berlin for the release of video recordings of an suburban train journey (press release of 13.05.2025).

In the main proceedings, a defendant - a passenger on the suburban train - had requested the operator of the suburban train network in Berlin, S-Bahn Berlin GmbH, to hand over a copy of the video recording of his journey on the basis of Art. 15 (3) GDPR. The plaintiff, S-Bahn Berlin GmbH, refused to hand over the recording, citing its data protection concept. The data protection concept stipulates that video recordings are only released in the event of requests for information from law enforcement authorities and are otherwise deleted by overwriting. S-Bahn Berlin GmbH does not inspect the recordings. In the opinion of the OVG, disclosure could be refused. The data protection concept pursues precisely the goal of taking the GDPR and the personal rights of passengers into account as far as possible. In contrast, the interests of the defendant had to stand back. The appeal was allowed.

(Gesche Kracht)

OLG Cologne: Summary proceedings against Meta

From May 27, 2025 on, the Meta Group will begin training the “Meta AI” chatbot, which can already be found on Facebook Messenger, Instagram and WhatsApp, with all public content on the platforms and communication with the chatbot. Meta relies on a legitimate interest for the AI training. It is also possible to object beyond this date, although it is difficult to implement the objection retrospectively once the data has been used for AI training.

Following an unsuccessful warning, the NRW consumer advice center had applied for a temporary injunction against Meta (press release of 13.05.2025). This was justified in particular by doubts about the invocation of a legitimate interest. It was also problematic that it could not be ruled out that sensitive data or data of minors could be used for training. The Cologne Higher Regional Court has now rejected the application on May 23, 2025 (press release of 30.05.2025). After a preliminary and summary examination, the announced use of data for AI training is lawful within the meaning of Art. 6 (1) (f) GDPR. Meta pursues a legitimate purpose that outweighs the rights of users. In addition, various measures were taken to mitigate the interference and users were informed at an early stage. In the opinion of the Court, there is also no violation of Art. 5 (2) DMA. This means that Meta may use user data for AI training for the time being - provided no individual objection is raised.

The data protection supervisory authorities also have the issue on their radar, with the LDI NRW, for example, pointing out that all responsible parties should carefully examine the extent to which personal data is processed via the social media presence or otherwise object to the AI training (press release of 20.05.2025). The Hamburg Commissioner for Data Protection and Freedom of Information had also initially considered taking legal action against Meta, but refrained from doing so after consultation with the German supervisory authorities in order to ensure a uniform approach (press release of 27.05.2025)

(Gesche Kracht)

LG Hamburg: Liability of legal databases

In its judgment of May 9, 2025, the Regional Court of Hamburg had to deal with the liability of the legal database OpenJur with regard to the publication of court decisions with personal data (LG Hamburg, decision dated 09.05.2025 - Ref. 324 O 278/23).

In the past, the plaintiff - a lawyer - had appeared as an applicant in proceedings relating to enforcement proceedings brought against him by the lawyers' pension fund. The resulting order contained information about the plaintiff's former job, that he had received unemployment benefit 1 and about his financial situation. The decision was published by the defendant's case law database OpenJur on its own website, stating the plaintiff's real name in the decision. The plaintiff then asserted claims for injunctive relief and damages before the Hamburg Regional Court for violation of his right to informational self-determination by the publication.

However, the Hamburg Regional Court rejected the plaintiff's claim for injunctive relief under Art. 17 GDPR. The publication of court decisions in the case law database operated by the defendant was subject to the exception of Art. 85 (2) GDPR. According to this provision, Member States shall provide derogations or exemptions from the provisions of the GDPR for data processing for journalistic purposes or scientific, artistic or literary purposes if this is necessary to reconcile the right to the protection of personal data with the freedom of expression and information (so-called media privilege). In the opinion of the court, the defendant's activity should be classified as editorial activity. This is supported in particular by the fact that the defendant specifically requests decisions for publication from courts, adds its own guiding sentences to decisions or makes a selection from decisions submitted. The fact that the majority of the decisions - including the decision in question - are taken over in an automated manner is irrelevant, since the “manual” work carried out by the defendant in the context of the uniformly offered database is inseparably linked to the other content. The contributions to the database could therefore only fall under the scope exception as a whole. In addition, processing for scientific purposes is assumed.

In the absence of the applicability of the GDPR, the request for injunctive relief should be based on national law. The court acknowledges that the publication impairs the plaintiff's general right of personality and may harm his professional advancement. However, OpenJur had safeguarded legitimate interests in the publication, as the case law database of the country from which the decision was taken is a privileged source that may be trusted. The defendant was therefore entitled to assume that the publication did not infringe the rights of third parties without any obligation to conduct further research.

(Gesche Kracht)

LArbG Hesse: Exclusion of a works council member

In its decision of March 10, 2025, the Hesse Regional Labour Court determined that the violation of data protection obligations pursuant to Section 79a (1) BetrVG can lead to the exclusion of a works council member (LArbG Hesse, decision dated 10.03.2025 - Ref. 16 TaBV 109/24).

The applicant in the proceedings runs a clinic where a works council - whose chairman is the respondent - has been formed. The employer discovered that a rule had been set up in the works council chairman's work email account whereby all incoming emails were automatically forwarded to his private email address. Even after a warning, further business appointments, documents and emails were forwarded to a new private email address. The employer was of the opinion that the works council chairman had grossly violated his statutory duties as a works council member by forwarding emails to his private email account and asserted his exclusion from the works council before the labor court.

Pursuant to Section 23 (1) (1) BetrVG, the exclusion of a member from the works council can be demanded for gross violation of statutory duties. Pursuant to Section 79a (1) BetrVG, the works council is also obliged to comply with data protection when processing personal data. Within its area of responsibility, the works council must independently take technical and organizational measures to ensure data security. The forwarded documents contained names, pay scale groups, salaries, classifications and other information that constituted personal data within the meaning of Art. 4 No. 1 GDPR. The Court found that the processing was not lawful due to the forwarding. There was neither a necessity within the meaning of Section 26 (1) (1) BDSG nor consent pursuant to Section 26 (2) BDSG of the employees concerned and therefore no legal basis. There was a breach of Art. 5 (1) GDPR and Art. 6 (1) GDPR. The breach of duty is objectively significant and obviously serious, consequently also “gross” within the meaning of Section 23 (1) BetrVG and may lead to exclusion.

(Gesche Kracht)

EDPB on the adequacy decision for the European Patent Office

On 5 May 2025, the European Data Protection Board (EDPB) adopted an opinion regarding the adequacy decision on the European Patent Organization (EPO) planned by the European Commission (press release of 06.05.2025).

In its opinion, the EDPB assesses the EPO's data protection framework and addresses data protection aspects of the adequacy decision. It is noted positively that the EPO's data protection framework is essentially aligned with that of the European Union. In future reviews of the adequacy decision, state access to data transferred from the EU to the EPO should be monitored in particular.

Once formally adopted by the Commission, this would be the first adequacy decision concerning an international organization and not a country. The EDPB takes the opinion as an opportunity to encourage the Commission to continue the dialogue with international organizations in order to further develop this category of adequacy decisions.

(Gesche Kracht)

EDPB on the extension of the adequacy decisions with the UK

On May 5, 2025, the EDPB also adopted an opinion on the extension of the UK's adequacy decisions (press release of 06.05.2025).

The UK's two adequacy decisions - issued in June 2021 on the basis of the GDPR and the Law Enforcement Directive (LED) - expire on June 27, 2025 and are now to be extended for six months. A data protection reform was initiated in the UK in October 2024. The legislative process is not expected to be completed until late spring. In light of this, the EDPB recognizes the need for an extension of the adequacy decisions, as this will give the European Commission sufficient time to assess the UK's updated legal framework following the adoption of the reform.

In its opinion, the EDPB emphasizes that this only relates to the extension of the adequacy decision and not to the level of protection granted in the UK. The extension is an exception that is attributable to the legislative process and should not be extended any further.

(Gesche Kracht)

HmbBfDI publishes guidance on the Data Act

With regard to the European Data Act, which will apply from September 12, 2025, the Hamburg Commissioner for Data Protection and Freedom of Information) has now published a guide to support companies in agreeing on data protection and compliance with the requirements of the Data Act (press release of 29.04.2025).

The Data Act obliges manufacturers of internet-enabled devices to share the data of networked devices with users (private individuals and companies) and to allow users to determine to whom the data should be disclosed. The Data Act sets out numerous obligations in this regard.

The handout first presents the key processes that should take place when implementing the Data Act in the company concerned. It also discusses the coexistence of the GDPR and the Data Act. Art. 1 (5) of the Data Act stipulates that the GDPR remains unaffected. Both legal acts are of equal rank; only in cases of irreconcilable conflict should a decision be made in favor of data protection law. Finally, the instruments and responsibilities of the data protection supervisory authorities are presented.

(Gesche Kracht)

Ireland: Fine of 530 million euros against TikTok

On May 2, 2025, the Irish Data Protection Authority (DPC) imposed a fine of 530 million euros on TikTok Technology Limited (TikTok) for the unlawful transfer of European users' data to China (press release of May 2, 2025).

The DPC found that European user data could be accessed from Chinese servers. TikTok also initially stated during the investigation that no user data was stored on servers in China, but later corrected this to the effect that a problem had been discovered as a result of which limited EU user data was stored on servers in China. In the opinion of the DPC, Chinese law could not guarantee an essentially equivalent level of protection. In particular, the anti-terrorism law, the anti-espionage law, the cyber security law and the national intelligence law deviate significantly from EU standards. TikTok had failed to adequately assess the level of protection and, as a result, had not selected appropriate safeguards that would ensure equivalent protection. Furthermore, the privacy policy at the time did not meet the requirements of Art. 13 (1) (f) GDPR with regard to transparency. TikTok had neither named third countries to which data is transferred nor sufficiently explained the data transfer in the privacy policy.

(Gesche Kracht)

Poland: Fine of approx. 6 million euros against Swiss Post

The President of the Data Protection Authority in Poland has imposed a fine of 6,444,174 euros on the Polish Post and a fine of 23,757 euros on the Minister for Digital Affairs. The underlying facts concerned the data processing of 30 million citizens in relation to the preparation of a postal vote in 2020 (press release of 18.03.2025).

In the course of the Covid-19 pandemic, there had been efforts to organize the presidential election in Poland in the form of a postal vote. In preparation for this, the personal identification numbers (PESEL) of Polish voters and other data were made available to the Polish postal service without the relevant amendment to the electoral law already being in force. The data was therefore processed without a legal basis, which constitutes a violation of Art. 5 (1) (a) and Art. 6 (3) GDPR. The Minister for Digital Affairs had given his consent to this, although he should have been aware of the law due to his responsibility for the PESEL register and should have protected the rights and freedoms of citizens.

(Gesche Kracht)