Dear readers,

On the occasion of a recently published guideline of the European Data Protection Board (EDPB) on the right of access pursuant to Article 15 of the GDPR, we provide practical implementation tips for dealing with information requests from data subjects in the main topic of this data protection newsletter. In addition, we provide information on other current data protection topics, such as the overturning of a decision by the Administrative Court of Wiesbaden regarding the "Cookiebot" cookie service.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: The right of access under data protection law

The right to informational self-determination is enshrined in constitutional law and states that data subjects can, in principle, decide which of their personal data may be processed by which body and for what purpose. In order to exercise this right, it is necessary for data subjects to be informed in the first place about the situations in which personal data is processed and what information about their own person is available to a data controller. Based on this approach, data protection law provides extensive rights for individuals who are affected by a processing of personal data.

One of the central data subject rights under the concept of the General Data Protection Regulation (GDPR) is the right of access, which is enshrined alongside Article 15 of the GDPR in Article 8(2)(2) of the Charter of Fundamental Rights of the European Union. It states that a data subject has the right to request information from the controller as to whether personal data relating to him or her are being processed. If this is the case, the right of access also extends to the communication of the specific data and a more detailed explanation of their processing.

On January 18, 2022, the European Data Protection Board (EDPB) published a guideline on the right of access, in which it discusses the conditions and limits of the claim (Guidelines 01/2022 on data subject rights – Right of access. The guidelines can be used as a supplement for the correct handling of information claims.

To the complete main topic

Data Protection Authority of Belgium: IAB Europe's Transparency and Consent Framework violates the GDPR

The Belgian Data Protection Authority (APD) has informed in a press release dated 02/02/2022 that in its view the Transparency and Consent Framework (TCF) developed by IAB Europe violates provisions of the GDPR. It has therefore imposed a fine of EUR 250,000 on IAB Europe and given the company two months to submit a compliance plan.

The TCF is a mechanism designed to facilitate the management of user preferences for personalized online advertising and plays a central role in so-called Real Time Bidding (RTB). The TCF is intended to help ensure that organizations relying on the OpenRTB protocol comply with the GDPR. The OpenRTB protocol is a widely used protocol for Real Time Bidding, which is the automated and instantaneous online auction of user profiles for the sale and purchase of advertising space on the Internet. Technology companies can bid for advertising space on websites in real time when users access them through an automated auction system. The auction system uses algorithms to display targeted ads specifically adapted to the user's profile. The TCF expresses users' preferences in terms of potential providers and various processing purposes, including offering tailored advertising.

The authority criticized the lack of a legal basis for the data processing, the failure to comply with information and transparency obligations, and the failure to implement and demonstrate sufficient technical and organizational measures. In addition, IAB Europe had not kept a record of processing activities, had not appointed a data protection officer, and had not carried out a data protection impact assessment.

IAB Europe announced in a statement that it would consider taking legal action against the decision. Whether the view of the Belgian data protection supervisory authority will prevail therefore remains to be seen.

(Johanna Schmale)

Higher Administrative Court of Kassel: Annulment of the decision regarding "Cookiebot“

In our January 2022 data protection newsletter, we provided information about a decision by the Administrative Court of Wiesbaden on the use of the cookie service "Cookiebot". In the decision, RheinMain University of Applied Sciences was prohibited by way of a temporary injunction from integrating "Cookiebot" on its website for the purpose of requesting consent in such a way that personally related or relatable data of the applicant is transmitted to servers operated by an external company (Administrative Court of Wiesbaden, decision dated December 1, 2021 - Ref. 6 L 738/21.WI, cf. the court's press release). The decision of the Wiesbaden Administrative Court - with the exception of the discontinuation decision and the determination of the amount in dispute - has now been overturned on appeal by the Higher Administrative Court of Kassel (Higher Administrative Court of Kassel, decision dated January 17, 2022 - Ref. 10 B 2486/21).

In the opinion of the Higher Administrative Court of Kassel, the Administrative Court of Wiesbaden should not have issued the temporary injunction sought by the applicant because the applicant had not substantiated a reason for the injunction within the meaning of Section 123(3) of the German VwGO (regulations governing administrative courts) in conjunction with Section 920(2) of the German ZPO (Code of Civil Procedure). In principle, the prohibition of anticipation of the main issue applies to the temporary injunction. In proceedings for interim relief, anticipation of the main issue can only be considered in exceptional cases if waiting for the decision on the main issue would result in serious and unreasonable disadvantages for the applicant which could not be remedied subsequently, taking into account the fundamental right affected in each case and the requirements of effective legal protection.

In the opinion of the court, however, the existence of this requirement is precisely not apparent from the applicant's statements. The applicant uses the website of the RheinMain University of Applied Sciences for information on specialist literature. The risk of renewed unlawful processing of his data would only exist if he accessed the website again and answered questions about the use of cookies. However, it could not be inferred from his statement that he would also need to access the website in the future; rather, he was free to use it. It was therefore not apparent what serious, unreasonable and subsequently irreversible disadvantages the applicant would be threatened with if he temporarily refrained from accessing the respondent's website until a final decision had been reached in the main action.

The Higher Administrative Court of Kassel did not examine in greater detail the degree of probability of success in the main proceedings. Whether the opinion of the Wiesbaden Administrative Court that the integration of Cookiebot on a website is accompanied by an unlawful transfer of personal data will prevail in the main proceedings and in similar cases in the future therefore remains open.

(Johanna Schmale)

Munich Regional Court I: Data protection breach in the use of Google Fonts

The Regional Court I of Munich has ruled that the transmission of the IP address to Google in the context of the use of Google Fonts cannot be justified by the legitimate interest pursuant to Article 6(1)(1)(f) of the GDPR (Regional Court I of Munich, decision dated January 20, 2022 - Ref.: 3 O 17493/20).

Google Fonts are fonts from Google that can be integrated into websites. The integration of Google Fonts can be performed by a server call from Google. In this process, personal data of the users, for example their IP address, is transmitted to Google. To avoid this problem, local storage on the company's own servers is also possible. In the case underlying the decision, however, the defendant website operator had failed to do this; it had embedded Google Fonts on its website via a link. According to the court, the website operator violated the plaintiff's right to informational self-determination by forwarding the dynamic IP address to Google without the plaintiff's consent when the plaintiff accessed the website.

According to the court, the data processing could not be justified by the legitimate interest pursuant to Article 6(1)(1)(f) of the GDPR, since Google Fonts could also be used without a connection to a Google server being established when the website is called up, and without a transfer of the website user's IP address to Google taking place. The fact that a data transfer can be prevented without much effort therefore leads to another design being contrary to data protection.

(Johanna Schmale)

On our own behalf: English data protection newsletter

In our data protection newsletter, we report monthly on current events in data protection law. In addition, we summarize the main features of data protection law and particularly relevant practical information on a selected main topic on a few pages.

Since February 2022, we have also been offering our newsletter in English. The background for the expansion of our offer is the increase in corresponding requests in the past and a greater international interest in our offer. The English version of the newsletter can be downloaded directly from our homepage at https://www.brandi.net/news/newsletter/. Our readers can switch to the English version of the individual documents, and also have the opportunity to subscribe to the English newsletter by e-mail. The corresponding registration form can be found at https://www.brandi.net/en/newsletter-sign-up/.

(Johanna Schmale)