Newsletter data protection
Dear readers,
Another victory for Max Schrems in his dispute with Facebook. The Austrian, who is well known beyond the circles of data protectionists, once again took the case to the European Court of Justice and filed a lawsuit against Meta Platforms Ireland. Previously, Schrems had already gained international attention through the so-called Schrems I and Schrems II judgments of the European Court of Justice, in which he also appeared as a plaintiff and which led to two adequacy decisions between the European Union and the United States being overturned. As the founder of the NGO NOYB (“None of Your Business”), Schrems specifically campaigns for compliance with the GDPR and regularly takes legal action against breaches by large companies. In its ruling, the European Court of Justice restricted the use of personal data for personalized advertising (ECJ, decision dated 04.10.2024 - Ref. C-446/21). The decision is important for both social network operators and advertisers. You can find out what questions the European Court of Justice had to answer in this case in this issue of our newsletter.
For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.
Dr. Sebastian Meyer and the BRANDI data protection team
Topic of the month: Data protection in the BEM procedure
If employees are absent due to illness for a period of more than six weeks within a year, employers are obliged under Section 167 (2) (1) SGB IX to clarify, together with the responsible representative body and, if applicable, the representative body for severely disabled employees and with the involvement of the person concerned, what options are available to overcome the incapacity to work, prevent new incapacity to work and maintain the job. To this end, the employer must make the employee an offer to implement a company integration management procedure (Betriebliches Eingliederungsmanagement-Verfahren, BEM). The initiation of the procedure and the implementation of all further individual measures then require the consent of the employee concerned. If consent is refused or revoked, the clarification process in the form of the BEM does not apply.
As a large amount of personal data, including health data, is also processed as part of the BEM procedure, the data protection provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) must be observed in addition to the provisions of employment law. It should be noted here that health data is also processed in the course of the BEM procedure, and special requirements apply to the processing of this data.
EDPB selects topic for the Coordinated Action 2025
At its plenary session in October, the EDPB selected the implementation of the right to erasure (“right to be forgotten”) as the topic for the fourth Coordinated Action in 2025 (communication of 10.10.2024). In such a coordinated enforcement action, the national data protection authorities should prioritize their work on the topic defined by the EDPB. The aim of the action is to identify the most important points of compliance with the law by evaluating implementation, among other things, and to obtain an overview of best practices. The right to erasure is one of the most frequently exercised rights of data subjects, and the data protection authorities also receive complaints about this on an ongoing basis.
(Gesche Kracht)
ECJ: Use of public personal data for targeted advertising
In the dispute between Max Schrems and Facebook, the ECJ ruled on the right of online social networks to retain and use data collected for advertising purposes (ECJ, decision dated 04.10.2024 - Ref. C-446/21).
In terms of content, the question was how long social online services such as Facebook may store data that they have received specifically for advertising purposes and whether such services must take into account what type of data is involved. The General Data Protection Regulation itself already differentiates between different types of data, for example in Art. 9 GDPR, which places increased requirements on the processing of particularly sensitive data.
The legal dispute related to precisely such a special date. Mr. Schrems made his sexual orientation public during a panel discussion. This information was stored on Facebook and as a result he received personalized advertising tailored to this. Mr. Schrems appealed to the competent courts in his home country, which referred questions of interpretation relating to the processing of these special categories of data to the ECJ.
The ECJ replied that the principle of data minimization laid down in Art. 5 (1) (c) GDPR precludes unlimited and indiscriminate processing with regard to the type of data. In addition, the ECJ made it clear that the publication of a specific date, such as sexual orientation in this case, does not entitle social online services such as Facebook to link thematically related data that was not published in the same way and then use these links for advertising purposes.
(Lukas Ingold)
ECJ on the obligation of the data protection authority to take action
On September 26, 2024, the ECJ ruled that a supervisory authority is not always obliged to take remedial action in the event of data protection violations and, in particular, to impose a fine (ECJ, decision dated 26.09.2024 - Ref. C-768/21).
The underlying case involved a company employee who had accessed a customer's personal data on several occasions without authorization. The company had reported this to the competent supervisory authority, but not to the customers concerned. The company has taken disciplinary action against the employee and the employee has confirmed in writing that she has not copied or stored the data or passed it on to third parties and will not do so in the future.
After a customer complained to the competent supervisory authority about the access and the authority stated that it did not consider it necessary to take remedial action, the customer filed a complaint with the Wiesbaden Administrative Court and requested that the authority be obliged to intervene, in particular to impose a fine on the responsible body.
The German court has asked the ECJ to interpret the GDPR with regard to this issue. According to the ECJ, the competent data protection authority may refrain from taking remedial action if this is not necessary to remedy the shortcomings identified and to ensure full compliance with the GDPR. Action can therefore be dispensed with if the controller has already taken the necessary measures on its own initiative.
(Hendrik Verst)
ECJ on the right to compensation
In addition to the above-mentioned judgment of the ECJ of October 4, 2024, the ECJ also issued a judgment on the subject of compensable damage on the same day (ECJ, decision dated 04.10.2024 - Ref. C-200/23). In terms of content, it concerned the question of when such compensable damage exists, which can then give rise to a claim for damages in accordance with the provisions of Art. 82 GDPR.
Specifically, the question was whether such damage can already be assumed if personal data falls or could fall into the hands of third parties as a result of a data leak from the person responsible for processing the data, or whether further circumstances such as illegal disclosure or misuse are required. The ECJ once again clarified the trend indicated in its previous rulings on this topic and explicitly formulated that even the loss of control of the data is to be regarded as immaterial and therefore compensable damage. No additional justification for any fears and concerns about misuse is required, although this can always be argued. The ECJ justified this decision with the genetic argument that the European legislator has explicitly provided for the loss of control as a case of damage in recital 85.
(Lukas Ingold)
Preliminary references on the abuse of rights of data protection requests
The ECJ has currently received two preliminary references regarding the question of when a GDPR request should be classified as an abuse of rights. In principle, every person has a right of access under Art. 15 (1) GDPR. This low-threshold hurdle harbors the risk that the protective means of information can be used for other purposes. Two cases are the subject of the proceedings. One case from Germany concerns the potentially manipulative use of the right to request information to an “excessive” extent (AG Arnsberg, decision dated 31.07.2024 - Ref. 42 C 434/23, GRUR-RS 2024, 22223). This could be assumed if the requests for information are aimed solely at burdening a company. The ECJ is to assess whether this is already the case when a request is first made and whether these requests obviously only serve the prejudicial interest, i.e. to prepare an action for damages. Another case from Austria concerns the quantitative extent of requests for information, which could be an abuse of rights due to their quantity (Case C-416/23). The ECJ now has to decide whether this is the case.
(Lukas Ingold)
BAG on the claim for non-material damages
The Federal Labor Court (BAG) has ruled on the requirements for a claim for damages under the GDPR (BAG, decision dated 20.06.2024 - Ref. 8 AZR 124/23).
In 2020, the plaintiff asserted a claim for information against her employer in accordance with Art. 15 GDPR. The employer initially did not comply with this request, so that the plaintiff finally claimed information and damages in the amount of 5,000 euros. The plaintiff based her claim for damages on the concern that her employer might have misused her data.
Finally, the BAG ruled that a mere expression of concern about data misuse is not sufficient for a claim for damages under Art. 82 (1) GDPR. The court ruled in line with the case law of the ECJ, according to which such emotional damage, which is in principle recoverable, must be demonstrated in each individual case. In its reasoning, the court stated that the fears asserted by the plaintiff in the event of information not being provided or only being provided incompletely were in the nature of things. If an invocation of such concerns were already sufficient for a claim for damages, any breach of Art. 15 GDPR would practically always lead to non-material damage. The independent requirement of damage would thus always be fulfilled and therefore meaningless. This is not compatible with the understanding of the standard in Art. 82 (1) GDPR.
(Hendrik Verst)
OLG Hamm on the assignability of a claim for damages under data protection law
In its judgment of July 24, 2024, the Higher Regional Court of Hamm dealt with the assignment of claims for damages under data protection law (OLG Hamm, decision dated 24.07.2024 - Ref. 11 U 69/23).
The defendant was the operator of a vaccination center. A data protection incident occurred when an information email was sent, as a result of which personal data of around 13,000 people who had booked an appointment at the vaccination center was disclosed via an incorrectly attached Excel file. The incident was reported to the responsible supervisory authority and those affected were informed. According to its own information, the plaintiff has now had the data protection claims for damages of a total of 532 affected persons assigned to it and asserted these collectively with an amount of 800 euros per affected person.
The OLG only awarded the plaintiff damages totaling 600 euros for two assigned claims. The effective assignment of claims for damages under data protection law pursuant to Art. 82 GDPR is possible in principle. This is an independent tortious claim that is subject to the general national liability regime of the German Civil Code (BGB) and is therefore also transferable under national law. It is also not a highly personal claim, as a violation of personality rights is not a requirement of Art. 82 GDPR. In light of the objectives of the GDPR, the focus is on the actual enforceability of the claim, meaning that the transfer must be possible. However, the court only considered the conclusion of the assignment agreements to be proven in two cases. With regard to other data subjects, damage had also not been sufficiently demonstrated.
(Gesche Kracht)
LG Lübeck: 350 euros compensation for Deezer data leak
In its judgment of October 4, 2024 regarding a data leak from the music streaming provider Deezer (we reported on a similar case in October 2024), the Regional Court of Lübeck awarded the plaintiff damages in the amount of 350 euros (LG Lübeck, decision dated 04.10.2024 - Ref. 15 O 216/23).
As a result of unauthorized data access by third parties at a processor of the provider, data of users of the streaming provider was published on the darknet. The plaintiff then asserted a claim for damages under Art. 82 GDPR on the grounds that the publication of the data exposed him to various risks such as identity theft or phishing, that he had suffered an emotional disadvantage and that he was worried about possible data misuse. The Regional Court found that the transfer to the processor, which was not sufficiently secured in accordance with Art. 28 GDPR, constituted an unlawful data processing operation attributable to the defendant. On the part of the plaintiff, there is immaterial damage in the form of the asserted fears and concerns, whereby the court relies on the corresponding case law of the ECJ on immaterial damages. With regard to the specific amount of damages, in addition to the defendant's violations of the GDPR, it should also be taken into account that the data package belonging to the plaintiff only contained a nickname and only the e-mail address and gender allow a conclusion to be drawn about the plaintiff.
(Gesche Kracht)
LG Paderborn on the transmission of positive data to SCHUFA
In its decision of September 2, 2024, the Paderborn Regional Court ruled that the automatic transmission of positive data to the SCHUFA credit agency is possible on the basis of legitimate interests (LG Paderborn, decision dated 02.09.2024 - Ref. 3 O 96/24). The court's decision deviated from the case law of the Regional Court of Munich, which in another case prohibited the transfer of positive data to SCHUFA due to a lack of overriding legitimate interests (LG Munich I, decision dated 25.04.2023 - Ref. 33 O 5976/22).
In the underlying case, the plaintiff demanded compensation under Art. 82 GDPR from a telecommunications company with which he had concluded a mobile phone contract. The telecommunications company had forwarded positive data to SCHUFA without his consent. The plaintiff saw this as a breach of data protection. However, the Paderborn Regional Court dismissed the claim.
In the opinion of the court, the transmission of positive data serves to safeguard legitimate interests in accordance with Art. 6 (1) (f) GDPR. The legitimate interests lie above all in the assessment of willingness to pay and, in this context, fraud prevention. From the perspective of the data subject, the transmission of the data ultimately also serves to increase the accuracy of their scoring, a more balanced assessment of negative data and protection against over-indebtedness. In terms of a necessity test, the court assessed that the telecommunications company would not have had any milder means at its disposal in its highly automated mass business.
(Hendrik Verst)
LG Traunstein: No entitlement to data hosting in Europe
In its judgment of July 8, 2024, the Traunstein Regional Court denied a claim for data processing and data storage solely in Europe against the operator of a social network (LG Traunstein, decision dated 08.07.2024 - Ref. 9 O 173/24).
The plaintiff is a user of the social network operated by the defendant and asserted several claims in the proceedings for damages, injunctive relief, deletion and information due to violations of the GDPR, in particular in connection with the monitoring, processing of offline data and the transfer of data to the USA. Among other things, the plaintiff demanded that the transfer of personal data to the USA be stopped in future. The Regional Court was unable to identify any unlawful data transfer to the USA. The social network was designed as a global platform and international data exchange was therefore inevitable. The company behind the platform was also based in the USA, which meant that data transfer was obvious and could be accepted by the - voluntary - users as a business decision. The transfer was necessary to fulfill the contract, Art. 6 (1) (b) GDPR and the requirements for data transfer to third countries were also met. The plaintiff is not entitled to the storage and processing of data only in Europe.
(Gesche Kracht)
DSK on the requirements for the transfer of customer data in an asset deal
In its September resolution, the German Data Protection Conference (DSK) commented on the transfer of personal data to the acquirer in the context of an asset deal (resolution of 11.09.2024).
As part of the so-called due diligence process, the transfer of personal data is generally not permitted; a legitimate interest may only exist in individual cases where negotiations are at an advanced stage. With regard to customer data, a distinction must be made between the initiation of a contract, an ongoing contractual relationship and a terminated contractual relationship between the seller and the customer. If contract negotiations are conducted with customers, the transfer is either permitted if the customer continues the negotiations with the acquirer on their own initiative or if no legitimate interests of the customer conflict with the transfer. In the case of an ongoing contractual relationship, it depends on the treatment of these contracts under civil law; in the case of an assumption of contract, the transfer can be based on the performance of the contract in accordance with Art. 6 (1) (b) GDPR, whereas in the case of an assumption of performance, an interest of the customer conflicting with the transfer must be examined, which is unlikely to be the case with regard to the outstanding performance. The transfer of customer data from terminated contracts to fulfill retention periods must be secured via a data processing agreement in accordance with Art. 28 (3) GDPR. Supplier data may regularly be transferred in accordance with Art. 6 (1) (f) GDPR, provided there is no conflicting interest. Finally, the transfer of employee data can in any case be based on Art. 6 (1) (b) GDPR - the fulfillment of the contract - if it is a transfer of a business or part of a business. In its decision, the DSK also deals with other special case groups such as advertising or special categories of data. In general, it should be noted that the data protection responsibility for the transfer to the acquirer lies with the transferor, who must guarantee an appropriate level of protection.
(Gesche Kracht)
Ireland: Fine of 91 million euros imposed on Meta
Due to the partially unencrypted storage of user passwords, the Irish Data Protection Authority (DPC) has imposed a fine of 91 million euros on Meta Platforms Ireland Limited (notification of 27.09.2024).
In 2019, Meta reported to the data protection authority that some users' passwords were inadvertently stored unencrypted in its internal systems. The DPC's subsequent investigation concerned Meta's compliance with GDPR regulations and whether the company had implemented adequate security measures for the risks associated with the processing of passwords, as well as the proper handling of the data breach. The supervisory authority now concludes that Meta has violated the GDPR in several aspects: against the reporting and documentation obligations in connection with data protection violations (Art. 33 (1) and (5) GDPR) as well as against Art. 5 (1) (f) GDPR and Art. 32 (1) GDPR due to insufficient technical and organizational measures to ensure a level of security appropriate to the risk.
(Gesche Kracht)
France: Fine of 800,000 euros against CEGEDIM SANTÉ
The French data protection supervisory authority imposes a fine of 800,000 euros on CEGEDIM SANTÉ for a breach of national data protection law and Art. 5 (1) (a) GDPR (notification of 17.09.2024).
As a result of investigations, it emerged that CEGEDIM SANTÉ had processed non-anonymized health data without authorization, which was transmitted to customers for the purpose of compiling statistics and conducting studies in the healthcare sector. The company offers a software product, whereby doctors using this product are also offered the opportunity to join an “observatory”. The health data collected was then used by CEGEDIM SANTÉ's customers for research purposes. The doctors belonging to the “observatory” were also able to query a patient's health insurance reimbursements via a service used by the company, although this led to an automatic download of the data. The supervisory authority found that the data processed by the company was only pseudonymized - i.e. the personal reference still existed - and that the company had not obtained the authorization required under French law for the use of the health data. In addition, there was a breach of the obligation of lawfulness of data processing under Art. 5 (1) (a) GDPR, as there was no possibility of simple data retrieval without automated collection.
(Gesche Kracht)
Norway: Fine for freely accessible team folders
The University of Agder was fined 150,000 NOK by the Norwegian supervisory authority for failing to take adequate measures to protect personal data when using Microsoft Teams. (communication of 11.09.2024).
At the beginning of the year, a university employee discovered that documents containing personal data were stored in a Teams folder that was freely accessible to employees. However, this situation had been ongoing since the university began using Microsoft Teams in 2018. The data breach affects around 16,000 employees, students and external data subjects. The information stored in the folder included names, national identity numbers, information on examinations and special regulations as well as an overview of refugees from Ukraine, with their contact information, education and residence status.
(Gesche Kracht)
Spain: Fine for not making privacy policy easily accessible
On August 12, 2024, the Spanish supervisory authority (AEPD) issued a fine of 10,000 euros against LOCAL VERTICALS, S.L. due to a breach of the information obligations under Art. 13 GDPR (decision of the AEPD).
Following a complaint to the supervisory authority, the latter reviewed the company's website and found that the privacy policy was insufficiently integrated. It was not directly accessible via the main page, but only via a submenu. Furthermore, the data provisions had to be confirmed as part of a registration form on the website, which was also linked. However, the link led to a privacy policy on another website that did not belong to the actual operator of the website. The form did not contain any further information about the actual controller of the processing of personal data or another link to the actual privacy policy.
According to Art. 12 GDPR, the controller must provide the mandatory information pursuant to Art. 13 GDPR in a precise, transparent, comprehensible and easily accessible form. The AEPD did not consider this to be fulfilled.
(Gesche Kracht)