Newsletter data protection
Dear readers,
On July 12, 2024, the new Regulation laying down harmonized rules on artificial intelligence (Artificial Intelligence Act) was published in the Official Journal of the EU. The AI Regulation entered into force on August 1, 2024 and the transition periods have begun. In principle, the provisions of the AI Regulation will apply from August 2, 2026. Deviating from this, the general provisions of the Regulation and bans on certain AI systems (Chapters I and II of the Regulation) will already apply from February 2, 2025. From August 2, 2025, the regulations on AI models with general purpose, governance and sanctions (Chapter III Section 4, V, VII, XII and Art. 78 with the exception of Art. 101) will then apply in the next stage. Only one provision on the classification of high-risk AI systems (Art. 6 (1)) will only apply after all other provisions from August 2, 2027.
The supervisory authorities have also taken up the issue again. For example, the Hamburg Data Protection Commissioner (HmbBfDI) has published a new discussion paper that deals with the relationship between the GDPR and the AI Regulation. The Baden-Württemberg State Commissioner for Data Protection and Freedom of Information (LfDI) has also produced the AI & Data Protection Navigator ("ONKIDA"), which compares the various recommendations issued by the supervisory authorities to date.
For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.
Dr. Sebastian Meyer and the BRANDI data protection team
Topic of the month: Joint controllership within the Group
For many companies that are part of a group structure, there is a need to transfer personal data within the group or to process it jointly in some other way, for example if one company carries out personnel administration or accounting for all other companies in the group or provides IT support. Of relevance here is not only the classic case of data transfer in the sense of direct transmission, but also the retrieval of information or access by a group company to data assigned to another group company as the controller, for example in the case of shared databases and systems as well as group-wide directories.
If personal data is to be exchanged within a group of companies, a legal basis is required for this. Companies belonging to a group are covered by the data protection term "group of undertakings" within the meaning of Art. 4 No. 19 GDPR. In principle, companies in such a group of companies are each independent entities, so that the data transfers are to be qualified as transfers to another company and thus as data processing requiring justification. Since a special legal basis (so-called "group privilege") or other privileged regulation for data transfers within the group cannot be found in either the GDPR or the BDSG, the general permissions must be applied in this respect.
EU Commission and Microsoft file suit against EDPS
The European Commission and Microsoft each filed a complaint against the European Data Protection Supervisor (EDPS) in May. In March, following an investigation, the EDPS found that the European Commission was violating several provisions of the GDPR by using Microsoft 365 and subsequently imposed various remedial measures on the Commission (we reported in April 2024). The General Court of the European Union will now have to deal with the requirements for data protection-compliant use of Microsoft 365.
In support of its complaint, the EU Commission argued, among other things, that the purposes and categories of data concerned had been properly defined in the contracts and that the Commission had provided sufficiently clearly documented instructions. Moreover, contrary to the opinion of the EDPS, the Commission had also ensured that Microsoft only processed the data in accordance with documented instructions. Microsoft cited similar reasons and also pointed out that the EDPS had ordered disproportionate remedial measures.
(Christina Prowald)
ECJ: Representative actions also apply to information rights
In its decision of July 11, 2024, the ECJ clarified the requirements for representative actions (ECJ, decision dated July 11, 2024 - Ref. C-757/22). The ruling concerns a legal dispute between Meta and the German Federation of Consumer Organizations and Consumer Associations (vzbv) relating to various data protection violations in Facebook's "App Center".
The ECJ has ruled that Art. 80 (2) GDPR must be interpreted in such a way that an authorized body can bring a representative action if it claims that the rights of a data subject have, in its opinion, been violated "as a result of processing". In this respect, a significant violation could result from the disregard of the obligation to provide information pursuant to Art. 12 (1) (1), 13 (1) (c) and (e) GDPR. According to this, the data subject must receive information about the purpose of the data processing and the recipients of the data in a precise, transparent, comprehensible and easily accessible form in clear and simple language at the latest when the data is collected. The ECJ bases its decision on the fact that the controller's obligation to provide information is a logical consequence of the data subject's right of access, which is one of the rights to be protected by Art. 80 (2) GDPR. Furthermore, effective consent also requires that the data subject receives the relevant information for consent in advance. The right of access also arises in this respect from Art. 12 and 13 GDPR. Since the processing of personal data in violation of the right of access violates the provisions of the GDPR, the violation of this right is to be regarded as a violation of the rights of the data subject "as a result of processing" within the meaning of Art. 80 (2) GDPR. As a result, the right of access, and thus indirectly also the duty to provide information, is a right that can be exercised through the representative action mechanism if it is breached.
(Christina Prowald)
OLG Frankfurt: Microsoft liable for data breaches by website operators
On June 27, 2024, the Higher Regional Court of Frankfurt am Main ruled that Microsoft is liable in connection with data processing for advertisements ("Microsoft Advertising") for the consent-free storage of technically unnecessary cookies via third-party websites (OLG Frankfurt a. M., decision dated 27.06.2024 - Ref. 6 U 192/23; press release of 23.07.2024).
The plaintiff had previously claimed that she had visited various third-party websites and that cookies in connection with the Microsoft Advertising service had been placed on her device without her consent. She subsequently asked Microsoft to refrain from storing cookies on her end devices without the necessary consent. The Higher Regional Court of Frankfurt has now ruled that the plaintiff is entitled to injunctive relief. By setting the cookies, Microsoft had violated the legal requirements. These prohibit anyone from accessing networked end devices without the consent of the end user. Microsoft is the perpetrator of the infringement, as it stores the information in the form of cookies on the end devices of the users and accesses the stored information by having it made available by the operators of the websites after they have read the information. Microsoft could also not exonerate itself by contractually obliging the operators of the websites to provide the necessary consent. Rather, Microsoft must ensure that the consents have been obtained and has the burden of presentation and proof in this respect. The decision was made at second instance in summary proceedings and cannot be appealed any further. It therefore remains to be seen whether this view will also prevail in the main proceedings, as this extends responsibility very far.
(Christina Prowald)
New decisions on the transmission of positive data to SCHUFA
The Regional Court of Gießen has once again commented on the transmission of positive data to SCHUFA (we already reported on this in July 2024) and ruled that the notification of the conclusion of a contract by a telecommunications company does not justify a claim for damages under Art. 82 GDPR (LG Gießen, decision dated 31.05.2024 - Ref. 9 O 530/23; GRUR-RS 2024, 12261). The Regional Court of Gießen stated that it is fundamentally disputed in case law and literature whether the legitimate interests put forward by the defendant for the transfer, specifically fraud prevention, prevention of over-indebtedness, precision of default risk forecasts and validation of the data available at SCHUFA, outweigh the plaintiff's right to informational self-determination. In view of the fact that no milder and equally suitable means of achieving the legitimate interests of the defendant could be identified that would do justice to the highly automated mass business of telecommunications service providers, the interests of the defendant would, however, take precedence in the opinion of the court, so that there was a legal basis for the data transfer and in this respect there was already no violation of the GDPR. In the view of the Gießen Regional Court, there is also a lack of compensable damage. The formal presentation of the plaintiff was not sufficient to justify damages. The plaintiff's alleged feeling of loss of control and great concern with regard to his creditworthiness were not comprehensible. Moreover, the defendant's reports were not suitable to worsen the plaintiff's creditworthiness.
The Regional Court of Augsburg has agreed with this view and also assumes that there is already no violation of Art. 6 (1) GDPR, since the data transfer can be justified on the basis of the balancing of interests of Art. 6 (1) (1) (f) GDPR and there is otherwise no damage (LG Augsburg, decision dated 06.06.2024 - Ref. 114 O 4038/23). The court reasoned that the defendant was not only pursuing its own economic interests with the transmission, but was also indirectly promoting the interests of consumers and therefore also those of the plaintiff. A less burdensome but equally effective means was not discernible.
The Mannheim Regional Court (LG Mannheim, decision dated 07.06.2024 - Ref. 9 O 381/23; GRUR-RS 2024, 16807), the Ansbach Regional Court (LG Ansbach, decision dated 20.06.2024 - Ref. 2 O 1111/23) and the Stade Regional Court (LG Stade, decision dated 30.04.2024 - Ref. 4 O 316/23; GRUR-RS 2024, 10218) have commented on the issue in a similar way. In the opinion of the courts, it is irrelevant whether the requirements of Art. 6 (1) (1) (f) GDPR are met, as there is no causal damage. The plaintiff only described negative consequences in the form of the loss of control he feared, but no non-material damage. The fear that he could be refused a loan due to the transmission of the positive data, as well as bad experiences from the past in this regard, could not be used to justify the damage. As a result, the plaintiff is not entitled to injunctive relief.
The Regional Court of Bonn (LG Bonn, decision dated 03.05.2023 - Ref. 19 O 221/23; GRUR-RS 2024, 10232) and the Regional Court of Aachen (LG Aachen, decision dated 11.07.2024 - Ref. 1 O 388/23; GRUR-RS 2024, 16535) have also rejected a claim for damages.
(Christina Prowald)
LDI NRW presents activity report 2023
Bettina Gayk, the State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia (LDI NRW), has published her 29th activity report for the year 2023 (notification of 08.07.2024).
The Data Protection Officer reports that around 11,050 written submissions were received by the supervisory authority in 2023. As a result, 111 fine proceedings were initiated and 65 fines totaling 64,650 euros were issued, with the highest fine in the reporting year being 10,000 euros. The LDI NRW emphasizes that monitoring is an important part of its work. However, it also emphasizes that it also acts in an advisory capacity to improve understanding of data protection. In this respect, the topic of cyber security is one of the issues addressed. According to estimates, around 58% of German companies have been affected by a cyberattack in 2023. If personal data is leaked or otherwise compromised, this is also relevant for the data protection authority. Small companies in particular are often unable to react independently and appropriately. A guide for dealing with such attacks has therefore been drawn up. Overall, it is recommended to prepare for such situations with an emergency plan.
The supervisory authority also dealt with various requests for advice on AI procedures last year. Even though the EU has now adopted the new AI Act, the assessment of the data protection compliance of AI applications will continue to be relevant in the future. Data protection must be considered from the outset when implementing AI systems. In its report, the LDI also covers topics such as the use of Microsoft 365, the design of cookie banners, data transfers to the USA and the Whistleblower Protection Act.
(Christina Prowald)
LfDI Rhineland-Palatinate on the sending of newsletters and e-mail advertising
The State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate (LfDI) has launched an information campaign on data protection rules for newsletters and email advertising (notification of 17.06.2024). Companies and cultural institutions in Rhineland-Palatinate are proactively informed by the LfDI by means of an information letter about the requirements that apply when sending advertising by email. This is intended to raise awareness of the issue among those responsible and reduce the number of infringements. Last year, the LfDI received 70 complaints on this topic.
LfDI Prof. Dr. Dieter Kugelmann commented on the information campaign as follows: "Newsletters and promotional emails are an important means for companies to communicate with their customers. This is legitimate in principle. Nevertheless, there are rules that protect the rights of the potential recipients of the messages. These rules are not that complicated, but not everyone is aware of them. Unfortunately, we repeatedly find deficits in this area and we receive numerous complaints. We also rely on a multiplier effect, i.e. on the fact that the companies and cultural institutions addressed pass on the information in their sectors. This is not only desirable from the point of view of data protection and my authority, but is also a benefit for the sectors affected. After all, violations can lead to regulatory measures and even fines in the event of complaints."
The LfDI also provided further information on this topic on its website as well as a guide to direct advertising.
(Christina Prowald)
Belgium: Data controller must support data protection officer
In a decision of June 3, 2024, the Belgian supervisory authority (APD) emphasized the controller's obligations to assist its data protection officer (Communication of 03.06.2024). If it is not possible for the data protection officer to fully perform his duties because there is a lack of support from the controller and data protection breaches occur as a result, the controller cannot exonerate himself by referring to the data protection officer's failings.
As part of the proceedings, the APD also imposed a fine on the company responsible because it did not delete the data of a data subject in connection with direct marketing despite being requested to do so and did not enable its part-time and overworked data protection officer to perform his duties effectively. The APD also stated that the data protection officer must be involved in all matters relating to data protection, the controller must recognize the role of its data protection officer, the internal data protection officer must be given sufficient time to perform his or her duties, the appointment of the data protection officer must be communicated to all employees and the controller must provide regular training and further training for the internal data protection officer.
(Christina Prowald)
Italy: GPDP imposes fine for unlawful advertising calls
On June 6, 2024, the Italian supervisory authority (GPDP) imposed a fine of 6,419,631 euros and various other measures on the company Eni Plenitude S.p.A. Società Benefrit for unsolicited telephone calls (notification of 06.06.2024).
The company, which is active in the marketing of gas and electricity contracts, contacted numerous people by telephone to advertise its products. After 108 reports and 7 complaints about unsolicited advertising calls were received by the supervisory authority, the latter made a request for information against the company. As part of the investigation, the GPDP then established that various telephone contacts had been made without the prior consent of the persons concerned. In some cases, they had even deposited their telephone number in the public register of objections. The random examination of a specific week also revealed that 657 of 747 contracts concluded originated from an unauthorized contact. The GDPD subsequently found violations of Art. 5 (principles of data processing), 6 (lawfulness of processing), 24 (responsibility of the controller), 25 (data protection by design and by default) and 28 (data processing) GDPR.
(Christina Prowald)
Sweden: Fine for use of the Facebook Pixel
On June 25, 2024, the Swedish supervisory authority (IMY) imposed a fine of 15 million SEK on the Swedish bank Avanza Bank AB for violating Art. 5 (1) (f), 32 (1) GDPR because it used the Facebook pixel and transmitted data of up to one million customers to Meta in the period between November 15, 2019 and June 2, 2021 due to incorrect settings (notification of 24.06.2024).
The bank had used the Facebook pixel for marketing purposes both on its website and in its app. By subsequently activating new functions, numerous customer data, including securities holdings, account numbers and loan amounts, were transmitted to Meta without the company being aware of this, according to its own statements. IMY was of the opinion that the company had not taken sufficient security measures to prevent the data transfer or at least to detect it at an early stage. Avanza deactivated the Facebook pixel after the incident became known and announced that Meta had deleted the data.
(Christina Prowald)
France: Fine of 2.3 million euros imposed
On July 2, 2024, the Lithuanian data protection authority, in cooperation with the French supervisory authority (CNIL), imposed a fine of 2,385,276 euros on the company Vinted UAB for several violations of data protection law (notification of 03.07.2024).
Vinted is an online marketplace where users can sell, buy and swap used clothing. The platform can be accessed via app or web browser. After numerous complaints had been received by the CNIL since 2020, the CNIL forwarded the complaints to the Lithuanian supervisory authority responsible under the provisions of the GDPR, which then took the lead in further investigations. The investigation revealed that Vinted did not handle incoming deletion requests properly. In particular, deletion could not be refused because the data subject did not mention any of the criteria provided for in the GDPR in their request. The authority also found that the reasons for the rejection of their applications had not been fully disclosed to those affected. It also spoke out against so-called "stealth banning" (punishing users classified as malicious by secretly making their activity invisible). The lack of information would excessively impair the rights of users. The practice could also lead to discrimination. The objectives of secret banning could be achieved in the same way by openly blocking the account.
(Christina Prowald)