Newsletter data protection

If you have any feedback on this newsletter or questions in connection with the topics covered in the newsletter, please send an email to datenschutz@brandi.net zu senden. Further contact details  can also be found on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: BRANDI Data Protection Law Day on the topic of "Data protection and digitalisation"

Prof. Ulrich Kelber, former Federal Data Protection Commissioner, was a guest at BRANDI for the sixth Data Protection Law Day on May 16, 2025. As part of the event on the topic of "Data protection and digitalisation", Prof. Kelber gave an interesting insight into current issues and developments in the field of AI and his work as Federal Data Protection Commissioner in a discussion with BRANDI lawyers, including Dr. Sebastian Meyer, Dr. Christoph Rempe, Dr. Daniel Wittig and Dr. Christoph Worms. As announced, we would like to look back on the Data Protection Law Day in this main topic and provide an insight into the specialist discussions and presentations as part of a summary.

To the complete main topic

OLG Dresden, OLG Jena and KG Berlin on GDPR damages for Facebook scraping

In recent months, several courts have again dealt with the claim for damages pursuant to Art. 82 GDPR. Decisions in this regard were recently handed down by the Higher Regional Court of Dresden, the Higher Regional Court of Jena and the Court of Appeal. All of the proceedings centred on the question of whether the outflow of data from Facebook caused compensable damage to users due to inadequate protective measures on the part of the provider.

The Higher Regional Court of Dresden denied an affected Facebook user a claim for damages in its entirety (OLG Dresden, decision dated 29.04.2025 - Ref. 4 U 1385/24). Facebook had violated the data protection provisions of the GDPR in several respects. However, the plaintiff did not succeed in proving causal damage. The telephone number that was affected had already been published by the plaintiff himself on a publicly accessible website, as a result of which he had already lost control of the date. The plaintiff did not provide sufficient credible evidence of any further damage.

In a similar case, the Court of Appeal in Berlin also denied a plaintiff's claim for damages under Art. 82 GDPR (KG Berlin, decision dated 03.04.2025 - Ref. 1 U 44/23). In this case, the plaintiff had already published the personal data in question on her blog before 2018 and had therefore lost control of this data. The court was therefore unable to establish causal damage.

The Higher Regional Court of Jena also denied a plaintiff a claim for damages under Art. 82 GDPR (OLG Jena, decision dated 21.03.2025 - Ref. 2 U 583/23). The claim did not exist as the plaintiff was unable to prove that the outflow of personal data took place after May 25, 2018 - the date on which the GDPR came into force. The burden of proof for this lies with the plaintiff. By conclusively arguing that it no longer had any log files that could provide information about the specific time of data access, the defendant satisfied its secondary burden of proof. In the opinion of the Senate, the inability to clarify the timing of the scraping incident is therefore to the detriment of the plaintiff.

As a result, it can be stated that the majority of courts now assume that a claim for damages may exist on the merits, but that the requirements for proving damages cannot be met with a generalised submission.”

(Marc-Levin Joppek)

OLG Nuremberg: SCHUFA may retain debtor data for 3 years after settlement of outstanding claims

With regard to the retention of debtor data, the Higher Regional Court of Nuremberg ruled on May 5, 2025 that the settlement of a claim does not justify a claim for deletion of the corresponding SCHUFA entry and that the debtor data may be retained for three years (OLG Nuremberg, decision dated 05.05.2025 - Ref. 3 U 1670/24).

The main proceedings are based on an invoice for 329,94 euros for telecommunication services provided, which was not paid by the plaintiff - the debtor of this claim - despite an enforcement order for six years. The defendant - SCHUFA - stored a corresponding entry to create a credit report for both the original non-payment and the settlement of this claim on September 27, 2022. The debtor sued to have his entry deleted, the score value corrected and the defendant to refrain from storing it again.

The burden of presentation and proof for unlawful data processing is to be determined in accordance with national regulations. Insofar as the interests to be taken into account in the context of the balancing of interests pursuant to Art. 6 (1) (f) GDPR were concerned, this would lie with the data subject. This would result in particular from the wording "[...] unless [...]", which expresses a rule-exception relationship in favour of the legitimate interest of the controller. In the context of the credit industry, the defendant's contractual partners - and thus also the defendant - have a legitimate interest in information about the creditworthiness and thus the reliability of the plaintiff in past contractual relationships, which is particularly worthy of protection under Art. 8 of Directive 2008/48/EC on consumer credit agreements. In the opinion of the Court, mere settlement does not justify a claim for deletion. The storage period was to be determined by weighing up the interests, whereby a storage period of three years based on the three-year standard period of the defendant's Code of Conduct, taking into account the non-payment over a period of six years, was not objectionable. Consequently, the Court rejected a claim for cancellation of the entry. The plaintiff's claims for correction of the score value and for the omission of renewed storage were also rejected due to the legality of the data processing.

(Mira Husemann)

Hanover Regional Court: Pseudonymised data without assignment to a specific person is de facto anonymous

In its decision of February 26, 2025, the Regional Court of Hanover had to deal with the distinction between pseudonymisation and anonymisation in the context of fine proceedings brought by the State Commissioner for Data Protection of Lower Saxony, in which the person concerned was accused of violating data protection regulations when disclosing data (LG Hannover, decision dated 26.02.2025 - Ref. 128 OWiLG 1/24, BeckRS 2025, 3463).

Several settlements were reached by the affected party to end criminal proceedings and civil court actions in connection with the manipulation of emissions values in the United States of America. A so-called "compliance monitor" or "compliance auditor" reviewed and monitored compliance with the provisions contained in the settlements to minimise the risk of recurrence. In particular, no misconduct by individual employees of the affected party was to be identified. In order to fulfil this task, personal data was transmitted to this "compliance monitor" by the data subject, predominantly in pseudonymised form.

In the opinion of the Regional Court, the assessment of whether pseudonymisation or anonymisation is present must be based on the perspective of the recipient. Insofar as the "compliance monitor" located abroad is not able to assign the personnel numbers to specific persons, the persons behind them are in fact anonymous (anonymising pseudonymisation). It is even sufficient that the "compliance monitor" has no reason to assign the pseudonyms to individual persons because it could have demanded the disclosure of the clear names and was satisfied with the pseudonymised data.

(Mira Husemann)

Koblenz Regional Court: Payment to third-party account after hacker attack

In its judgement of March 26, 2025, the Regional Court of Koblenz had to deal with the question of whether a contractor whose email account was hacked and manipulated vis-à-vis the customer must have payments made by his customer credited to the account of a fraudster (press release).

The Regional Court upheld a claim for payment of 75% of the wages and dismissed the remaining 25%. The plaintiff - a contractor - carried out fence construction work for the defendant. The fact that the last email with a notification of new bank details for the payment of the wage invoice was presumably sent from the contractor's email account did not justify the presumption that this email was actually sent by the contractor (or with his consent). On the contrary, the parties were aware that email correspondence was an insecure and forgery-prone means of communication and deliberately accepted this in order to simplify matters.

In contrast, in the opinion of the Regional Court, the defendant is entitled to claim damages under data protection law pursuant to Art. 82 GDPR due to inadequate protection of sensitive data, such as the personal data contained in the invoice and his email address. However, the defendant had to accept considerable contributory negligence, as the new bank details indicated a third-party payee and should have been scrutinised accordingly. The screenshots showing the transfers were also only sent via WhatsApp and therefore did not allow for a careful check by the contractor.

(Mira Husemann)

DSK: Technical and organisational measures for the development and operation of AI systems

The DSK has published a guidance on recommended technical and organisational measures for the development and operation of AI systems. The guidance distinguishes between the different life cycle phases of an AI system, ranging from design and development to implementation and operation. Key points are the assurance objectives such as confidentiality, integrity, intervenability, transparency and non-linking, which should be considered in each phase. Overall, a proactive approach to data protection is recommended in order to protect the rights and freedoms of natural persons. The recommendations are designed both to fulfil legal requirements and to strengthen users' trust in AI technologies.

(Marc-Levin Joppek)

DSK: Data protection for online bookings of medical appointments

The DSK has published a position paper on the data protection-compliant use of service providers for online appointment bookings and appointment management, summarising the positions of the federal and state data protection supervisory authorities on this topic.

In the opinion of the supervisory authorities, the outsourcing of appointment management by medical practices to an external company acting as a processor in accordance with Art. 28 GDPR is generally permissible. Patient data can also be entered in the appointment diary without consent, provided that only the data required for the appointment is recorded, i.e. in particular name, date of birth, treating doctor, type of appointment and a contact option. In this respect, data processing can be based on the legal bases of Art. 6 (1) (b) and Art. 9 (2) (h) GDPR. Appointment reminders, on the other hand, are not absolutely necessary for the fulfilment of the appointment and should therefore only be sent with the patient's consent. The entries in the appointment diary are not subject to the professional documentation obligation and should therefore be deleted shortly after the appointment.

Patients must be informed about the involvement of an external service provider for the allocation of appointments in accordance with Art. 13 f. GDPR. In addition, suitable technical and organisational measures must be taken to ensure the protection of patient data. The corresponding measures must be bindingly set out in the contractual agreement with the service provider.

The explanations in the position paper are also helpful for other sectors and professional groups, in particular for other professional secrecy holders such as lawyers, tax consultants or auditors.

(Marc-Levin Joppek)

France: Fine of 80 thousand euros against Caloga

On May 15, 2025, the French data protection authority CNIL imposed a fine of 80.000 euros on Caloga for violations of data protection law in connection with the use of personal data for advertising purposes (press release of 27.05.2025).

The French company acquired personal data from data traders, among others, who in turn obtained this data from entry forms for competitions or online product tests. Caloga used this data to send advertising emails on behalf of its customers. In the opinion of the CNIL, there was no effective consent from the data subjects for the use of the data to send the advertising emails. The authority also found that it was difficult for the data subjects to withdraw their consent. Furthermore, the supervisory authority criticised additional infringements with regard to the data protection-compliant storage of the data concerned.

(Marc-Levin Joppek)

Ireland: Fine of 550 thousand euros against Department of Social Protection

The Irish Data Protection Authority has imposed a fine of 550.000 euros on the Department of Social Protection (DSP) (press release dated 12.06.2025). The imposition of the fine was preceded by an investigation into the processing of facial templates by the DSP and the associated use of facial recognition technologies as part of the registration process for the Public Services Card.

The supervisory authority found, among other things, that the DSP had not specified a suitable legal basis for the collection of biometric data. In addition, the data subjects did not receive sufficient and transparent information about the processing of their data. The data protection impact assessment was also carried out inadequately.

(Marc-Levin Joppek)

Germany: Fines totalling 45 million euros against Vodafone

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Prof. Dr. Louisa Specht-Riemenschneider, has imposed two fines totalling 45 million euros on Vodafone GmbH (press release of June 2025).

The fine of 15 million euros was imposed because the company did not sufficiently fulfil its obligation to monitor the commissioned processors under data protection law. Employees of the partner agencies had the opportunity - at the expense of the customers concerned - to create new contracts or manipulate existing contracts without authorisation. Due to serious security gaps in the authentication process for the combined use of the online portal "MeinVodafone" and the customer hotline, a further fine of 30 million euros was imposed. The inadequate security made it possible for unauthorised persons to access eSIM profiles, for example.

The BfDI also issued a warning because the existing technical and organisational measures did not meet the requirements for adequate protection of the processed data.

(Marc-Levin Joppek)