Dear readers,

Every year brings various developments and challenges in data protection law. Traditionally, we summarize the data protection events of the past year in the January issue of our newsletter. In the focus topic of this year's first issue, we therefore look back at the year 2023 in terms of data protection law and venture a look ahead to the new year 2024.

In 2024, BRANDI's data protection team will continue to keep you up to date with the latest developments and events in data protection law. In the current issue, we report on the ECJ's decisions on the right to immaterial damages and the requirements for the imposition of a fine, the decision of the Higher Regional Court of Cologne on data transfers to Google and the decision of the Administrative Court of Bremen on the scope of the duty to provide information to the supervisory authority.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Annual review 2023 and outlook 2024

In 2023, data protection law was characterized by various decisions by authorities and courts. In particular, issues relating to the right of access under Article 15 GDPR and the right to compensation under Article 82 GDPR were discussed last year. In addition, topics such as the use of tracking tools and cookie banners as well as the transfer of data to third countries continued to be relevant. The European Commission has adopted a new adequacy decision for the EU-US Data Privacy Framework for data transfers to the USA. The Whistleblower Protection Act (HinSchG) also came into force in July 2023. According to this law, companies that generally employ at least 50 people or perform certain activities have been obliged to set up an internal reporting office since December 17, 2023, through which employees can report legal violations. As the implementation of the requirements involves the processing of personal data, the data protection regulations must also be complied with and documented in this context.

Our BRANDI-Data Protection Law Day took place for the fourth time on May 12, 2023. As a guest of BRANDI in Bielefeld we were honored to have Prof. Dr. Alexander Roßnagel, Hessian Commissioner for Data Protection and Freedom of Information (HBDI). We exchanged views with Prof. Dr. Roßnagel on various issues relating to data protection in the cloud and cybersecurity. In conversation with lawyers from BRANDI, he gave an exciting insight into various data protection issues, current procedures and the daily work of the Hessian Data Protection Supervisory Authority and the Data Protection Conference (DSK).

We have taken the turn of the year as an opportunity to review the main topics and particularly relevant developments and events of the past year in our traditional annual review. We also venture a look ahead to the new year 2024.

To the complete main topic

On our own account: BRANDI-Data Protection Law Day 2024

We cordially invite you to our 4th BRANDI-Data Protection Law Day on May 24, 2024. This year's event will take place in Paderborn. In addition, there will also be the opportunity to stream the events of our Data Protection Law Day online.

Since the GDPR came into force, some data protection issues in connection with the application of the GDPR have been fully or at least partially clarified. Other questions and problems continue occupy lawmakers, and yet others are even completely new.

We have once again been able to attract a renowned expert for the event. This year, we will be discussing with Thilo Weichert, who has been a member of the jury for many years and helps decide on the presentation of the annual Big Brother Awards. Dr. Weichert is one of Germany's best-known data protection experts and former head of the data protection supervisory authority in Schleswig-Holstein (ULD).

You can already look forward to interesting presentations and exciting discussions. We will inform you in more detail about the content of the event and how to register for it on our homepage and in our data protection newsletter.

(Christina Prowald)

Whistleblower Protection Act

The Whistleblower Protection Act (HinSchG) came into force on July 2, 2023. Accordingly, companies that generally employ at least 50 employees or perform certain activities are under the obligation since December 17, 2023 to set up an internal reporting office – a whistleblower system – through which employees can report legal violations. As the implementation of the provisions of the HinSchG involves the processing of personal data, the data protection regulations must also be complied with and documented in this context.

In particular, whistleblowers must be informed in accordance with Article 13 GDPR about the extent to which their personal data is processed in connection with the use of the reporting office. It is therefore necessary to create a privacy policy that is made available to the whistleblowers. The specific design of the privacy policy depends on the design of the reporting office. Persons affected by the report must also be informed under data protection law in accordance with Article 14 GDPR, unless the information is excluded due to legal requirements.

Like any other process in which personal data is processed, data processing procedures that are associated with the processing of notifications under the HinSchG must also be included in the records processing activities pursuant to Article 30 GDPR. Due to the potentially sensitive content and data categories, comprehensive and detailed documentation is recommended in all cases.

If data processing is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must also carry out an assessment of the consequences of the intended processing operations for the protection of personal data in advance in accordance with Article 35 (1) GDPR (data protection impact assessment). Due to the potentially sensitive content of breach notifications, which may also be relevant under criminal law and have serious consequences for those affected, many supervisory authorities are of the opinion that the data processing associated with the notification regularly involves a high risk to the rights and freedoms of natural persons and that a data protection impact assessment is therefore also required. Data processing procedures in connection with the obligations of the HinSchG have not yet been formally included in the German supervisory authorities' positive list of cases in which a data protection impact assessment must be carried out. Nevertheless, a corresponding risk assessment and documentation should be carried out.

Further information on data protection and the Whistleblower Protection Act can also be found in the July 2023 issue of our Data Protection Newsletter.

(Christina Prowald)

ECJ on the claim for non-material damages under Article 82 GDPR

On December 14, 2023, the ECJ clarified the requirements for a claim for non-material damages under Article 82 GDPR in two decisions (ECJ, decision dated 14.12.2023 - Ref. C-340/21 and ECJ, decision dated 14.12.2023 - Ref. C-456/22).

In its first decision, the ECJ commences with a statement that the data controller can be exempted from liability in the event of a breach of the protection of personal data by a third party in accordance with Article 82 (3) GDPR by proving that there is no causal link between the possible breach of its data protection obligation and the damage caused to the data subject. However, the controller cannot be exempted simply because the damage is the result of unauthorized access by a third party. Rather, the controller must prove that it is in no way responsible for the circumstance that caused the damage.

With regard to the question of whether the mere fact that a data subject fears that their data could be misused by third parties as a result of a breach of the GDPR constitutes non-material damage, the ECJ refers to its decision from May 2023 (we reported in June 2023). It continues by stating that the mere fact that a data subject fears that their personal data could be misused by third parties as a result of a breach of the GDPR may indeed constitute non-material damage within the meaning of Article 82 GDPR. In the court's view, any other interpretation is incompatible with ensuring a high level of protection when processing personal data. However, the data subject would have to prove the negative consequences for them as well as the non-material damage. Furthermore, the national court must examine whether the data subject's fears can be considered justified.

In its second decision, the ECJ states that a national regulation or practice that provides for a de minimis limit in relation to non-material damage is not compatible with Article 82 GDPR. A different interpretation is also incompatible with the objective of ensuring a uniform and high level of protection. However, the data subject must also prove in this case that the consequences of the infringement that they claim to have suffered were the cause of damage that differs from the mere infringement. The ECJ again refers to its decision from May 2023.

(Christina Prowald)

ECJ: Imposition of a fine requires culpable breach of the GDPR

On December 5, 2023, the European Court of Justice (ECJ) clarified the conditions under which the national supervisory authority can impose a fine in two decisions (ECJ, decision dated 05.12.2023 - Ref. C-683/21 and ECJ, decision dated 05.12.2023 - Ref. C-807/21). A Lithuanian and a German court had previously appealed to the ECJ regarding the possibility of national supervisory authorities to impose fines for breaches of the GDPR.

In its rulings, the court decided that the imposition of a fine requires a culpable, i.e. intentional or negligent, breach of the GDPR. This is the case if the data controller could not have been unaware of the unlawfulness of their conduct. The ECJ bases this on, among other things, the wording of Article 83 GDPR.

In its first decision, the court went on to state that fines could also be imposed on a controller in relation to processing operations carried out by a processor, insofar as these can be attributed to the controller. It also pointed out that joint controllership arises solely from the fact that the parties have participated in the decision on the purposes and means of the processing. In contrast, the classification does not require a formal agreement; joint or concurring decisions are sufficient. Nevertheless, the obligations of the parties must be set out in an agreement.

In its second decision, the ECJ makes clear that the prior establishment that the infringement was committed by an identifiable natural person is not a prerequisite for the imposition of a fine . A synopsis of Article 4 No. 7, Article 83 and Article 58 (2) (i) GDPR shows that a fine can also be imposed on a legal person if it has the status of a controller. However, the GDPR does not contain any provision that makes the imposition of a fine dependent on the fact that this infringement was committed by an identifiable natural person. Such a requirement could also weaken the effectiveness and deterrent effect of fines. The ECJ also states that the infringement giving rise to the fine does not have to be committed by a management body or that the latter must have knowledge of the infringement if the person responsible is a legal person. The legal entity is not only liable for infringements committed by its representatives, managers or directors, but also for infringements committed by other persons acting on its behalf in the course of their business activities. This follows from the wording, system and purpose of Article 83 GDPR.

(Christina Prowald)

ECJ on SCHUFA scoring and retention periods

Following a referral from the Wiesbaden Administrative Court, the ECJ has ruled on two SCHUFA practices (ECJ, decision dated 07.12.2023 - Ref. C-634/21; C-26/22; C-64/22). On the one hand, the scoring carried out by SCHUFA is only permissible under certain conditions; on the other hand, the company's storage practices regarding information on residual debt discharge are contrary to data protection law.

Scoring is a mathematical-statistical procedure used to determine the probability of future behavior, such as the repayment of a loan. Scoring is an "automated decision in individual cases" that is generally prohibited by the GDPR if SCHUFA customers attribute a significant role to scoring in the context of granting a loan. This procedure would only be permissible if there is an exception to this prohibition under EU law or the law of the Member State to which the controller is subject. Since, according to the referring administrative court, scoring is attributed a decisive role in the context of granting credit, it must now examine the extent to which there is a valid exception to the prohibition of automated decision-making in individual cases and the general conditions for data processing provided for in the GDPR are met.

According to the ECJ, SCHUFA's practices with regard to the storage of information on the granting of a discharge of residual debt are in any case contrary to data protection law. SCHUFA stores information on the granting of a discharge of residual debt for three years. However, private credit agencies are not allowed to store the data for longer than a public insolvency register. The insolvency registers store the information for six months. If the data is stored for longer than six months, those affected have the right to immediate deletion. With regard to the storage of the information by SCHUFA for the six months, it is up to the referring court to weigh up the conflicting interests and assess the legality of the storage.

(Hendrik Verst)

BGH on the request for information on the naming of co-shareholders

On October 24, 2023, the BGH ruled that a shareholder's request for information, which also serves the purpose of using the names, addresses and shareholding amounts of the co-shareholders to submit purchase offers for their shares, does not constitute an impermissible exercise of rights or an abuse of the right of access and is compatible with the provisions of the GDPR (BGH, decision dated October 24, 2023 - Ref. II ZB 3/23).

The plaintiff was a co-shareholder in a public fund company. On behalf of the fund company, the defendant kept a register with the personal data and shareholding amounts of all trustors. The plaintiff requested information from the defendant about the names, addresses and shareholding amounts of the co-shareholders and referred in this respect to the purposes of preparing a shareholders' meeting and making contact. It noted that it could not be ruled out that the information would also be used to submit purchase offers. The defendant rejected the request for information with reference to the GDPR.

The BGH stated that anyone who participates in a partnership or commercial partnership must expect that, in addition to their data, the amount of their participation will also be disclosed to their co-shareholders or co-trustees of equal status. Although previous decisions had only referred to names and addresses, it was sufficiently clear from the Federal Court of Justice's justification of the right of access that the disclosure of the amount of the shareholding was also permissible under data protection law.

(Christina Prowald)

No compensation for data scraping on Facebook

In two further decisions, the Higher Regional Court of Hamm has commented on data scraping at Facebook and confirmed its previous legal opinion that the incidents do not justify compensation for damages under Article 82 GDPR (OLG Hamm, decision dated 22.09.2023 - Ref. 7 U 77/23 and OLG Hamm, decision dated 17.11.2023 - Ref. 7 U 71/23).

The Higher Regional Court of Hamm stated in the decisions that immaterial damage attributable to the infringements could neither be sufficiently demonstrated nor proven. In this respect, generalized impairments or the listing of general-abstract dangers without concrete evidence of personal impairments were not sufficient.

(Christina Prowald)

OLG Köln: Data transfer to Google inadmissible

In the opinion of the Higher Regional Court of Cologne, a data transfer to Google is also in breach of data protection law under the new adequacy decision for the EU-US Privacy Data Framework if the other general requirements are not met (OLG Köln, decision dated 03.11.2023 - Ref. 6 U 58/23).

The defendant was Deutsche Telekom, whose integration of Google Analytics on the company's website was already deemed unlawful by the Regional Court of Cologne in March 2023, as it resulted in an inadequately secured transfer of data to the USA (we reported in June 2023). The Higher Regional Court of Cologne has now confirmed the opinion of the Regional Court and also commented on data transfers based on the new adequacy decision. First of all, the OLG states that Google is certified under the new agreement. However, in the court's view, this does not change the inadmissibility of the data transfer in the specific case. Even if there is an adequacy decision, the other general requirements for permissible data processing must be met. However, any consent given by the data subjects was invalid in this case, as the necessary information was not provided to the data subjects.

The court also ruled that the data protection notices on analysis and marketing cookies included via the cookie banner were subject to general terms and conditions control. In the opinion of the court, the clauses on analysis and marketing cookies objected to by the plaintiff are to be considered inadmissible as they constitute an unreasonable disadvantage for users. This resulted from the fact that the data protection information for the transfer of personal data to third countries stated a legal basis that did not legitimize the processing.

(Christina Prowald)

LAG Düsseldorf: No compensation for delayed and incomplete information

On November 28, 2023, the LAG Düsseldorf dismissed a claim for damages due to delayed and incomplete provision of information (LAG Düsseldorf, decision dated 28.11.2023 – 3 Sa 285/23, press release of 28.11.2023).

In December 2016, the plaintiff was employed by the customer service department of a real estate company (the defendant) and in 2020 asserted a claim of access against the defendant pursuant to Article 15 GDPR, which the defendant did not respond to. In October 2022, the plaintiff again requested information. The plaintiff complained that the information provided to him was late and lacking in content. He stated that specific information on the duration of data storage and the recipients of the data stored was missing, and that the data copy was incomplete. At the plaintiff's request, the defendant subsequently clarified the information several times. The plaintiff then demanded compensation from the defendant under Article 82 GDPR because the defendant had repeatedly violated his right of access.

At first instance, the Duisburg District Court awarded the plaintiff monetary compensation in the amount of 10,000 euros. The LAG Düsseldorf has now dismissed the claim in its entirety. It stated that the defendant had violated Article 12 and 15 GDPR because it did not provide the information on time and initially provided incomplete information. However, this did not give rise to a claim for damages under Article 82 GDPR. The provision presupposes data processing in breach of the GDPR. This is lacking in the case of a mere breach of the obligation to provide information under Article 15 GDPR. In addition, the provision requires more than a mere breach of the provisions of the GDPR. The loss of control cited by the plaintiff is not sufficient in this respect.

(Christina Prowald)

LG Augsburg: Footer in e-mail is not advertising

On June 9, 2023, Augsburg District Court ruled that an email containing links to the company's own website and social media channels in the footer does not constitute unauthorized advertising (we reported on this in August 2023). The Regional Court of Augsburg has now agreed with this view in its decision of October 18, 2023 (LG Augsburg, reference decision dated 18.10.2023 - Ref. 044 S 2196/23). The display of a mere link to social media presences is not unlawful. The mere link to the defendant's social media presence, if it is regarded as advertising at all, is not a concrete impairment of the plaintiff. The link was not used to advertise specific products and the link itself had no specific information content. The plaintiff could simply ignore the links. Such links are now common as part of the signature, so that the reader does not have to make any effort to separate them from the informational part of the email.

(Christina Prowald)

VG Bremen on the scope of the duty to provide information to the supervisory authority

On November 11, 2023, the VG Bremen ruled that the data controller is generally obliged to provide information to the competent supervisory authority. However, if there is a risk of administrative offense proceedings, there is a right to refuse to provide information (VG, Bremen, decision dated 27.11.2023 - Ref. 4 K 1160/22, BeckRS 2023, 34504).

The plaintiff was the owner of an accounting office and installed video surveillance in its offices, which was used to monitor not only the offices but also the public space in front of them. After the supervisory authority was informed of this by the public order office, it sent the defendant an extensive list of questions regarding the video surveillance. After the plaintiff failed to provide information despite repeated requests, the supervisory authority threatened to impose a penalty payment of 50 euros for each unanswered question. The plaintiff then filed a lawsuit.

The court stated that data controllers must comply with the supervisory authority's right of access and found that the plaintiff was the controller of the video surveillance. In the court's view, the supervisory authority's list of questions is not objectionable, as the questions were clearly intended to assess the facts of the case. The fact that the list of questions went beyond simply requesting answers to questions (it included requests for the submission of information signs, the list of procedures, and the data protection impact assessment) was not objectionable. Only the plaintiff's objection that it did not want to provide any information due to possible regulatory offense proceedings that had been initiated could be considered in favor of the plaintiff in principle. However, the plaintiff had not proven the initiation of such proceedings. The court subsequently ruled that the threat of a penalty payment was lawful.

(Christina Prowald)