Dear readers,

We cordially invite you to our Data Protection Law Day on 12.05.2023!

Since the entry into force of the GDPR, it has been possible to clarify some data protection issues in connection with the application of the GDPR fully, and others at least partially. Still other questions and problems continue to arise, or are even entirely new.

We would like to use the 4th BRANDI Data Protection Law Day to engage in discussions with you and external experts on issues relating to cloud use, cybersecurity and liability risks. Our event will finally take place again this year in presence in Bielefeld at the Hotel Bielefelder Hof. In addition, there will also be the opportunity to participate passively online in our Data Protection Law Day.

We were once again able to attract a renowned expert for the event. This year, the Hessian Commissioner for Data Protection and Freedom of Information, Prof. Dr. Alexander Roßnagel, will be our guest and help shape our Data Protection Law Day.

Through two keynote presentations, each followed by a panel discussion, we will take a closer look not only at the use of cloud solutions, but also at the responsibility and liability for cybersecurity incidents and their protection. We look forward to discussing the following issues and topics, among others:

• Legal advantages and disadvantages of on-premises solutions on the one hand and cloud-based applications on the other hand
• Consequences of case law for the cloud after Schrems II
• Data protection compliant use of Microsoft 365?
• Status of the adequacy decision for the U.S.
• Liability in the cloud
• Responsibility and liability for cyber incidents
• Regulators’ perspective on cyber incidents
• Cooperation and communication strategies
• Legal protection against cyber incidents

We will inform you about the possibilities to register for the event in a timely manner on our homepage as well as in our data protection newsletter.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Requirements for sending newsletters

In addition to contact forms, online and social media presences, many companies use regular newsletters to stay in touch with their customers or to inform interested parties about company offers and promotions, as well as current topics and news. Due to the lower costs and workload compared to postal advertising, and not least in view of increasing digitization, most of the advertising is sent by e-mail. If newsletters are sent for marketing purposes, the company must take into account various legal requirements that arise primarily from data protection law and competition law. Below we provide an overview of these legal requirements and specifications.

To the complete main topic

BfDI prohibits operation of the federal government’s Facebook Fanpage

On February 17, 2023, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), Ulrich Kelber, instructed the Federal Press Office to discontinue operation of the federal government’s Facebook Fanpage (press release 6/2023). The Federal Press Office now has four weeks from receipt of the notice to implement the decision.

According to the BfDI’s assessment, there is joint responsibility for the processing of data collected from the data subject when using the Fanpage. In order to fulfill its accountability obligation under Art. 5 (2) GDPR, the controller must prove that the data processing complies with the requirements of data protection law. However, the Federal Press Office has not yet been able to provide such proof. The BfDI also criticized the lack of a legal basis for the collection of data via the Fanpage and its transmission to Meta, as well as the fact that the consent required under the TTDSG and the GDPR for the use of technically unnecessary cookies is not effectively obtained.

The BfDI commented on the decision as follows: “I have pointed out that it is not possible to operate a Facebook Fanpage in a privacy-compliant manner. This is shown by our own investigations and the brief report of the Data Privacy Conference. All authorities have a responsibility to comply with the law in an exemplary manner. According to the results of my checks, this is currently impossible when operating a Fanpage due to the extensive processing of personal data of the users. I think it is important for the state to be accessible and share information through social media. But it may do so only if the fundamental rights of citizens are preserved.”

The Federal Press Office now has the opportunity to file a complaint against the BfDI’s decision within one month.

(Christina Prowald)

DSK: Report of the Microsoft Online Services Working Group

On January 31, 2023, the Data Protection Conference (Datenschutzkonferenz, DSK), the association of independent data protection supervisory authorities of the German federal and state governments, recently published a decision on the data protection assessment of access possibilities of public bodies of third countries to personal data processed on behalf within the EEA pursuant to Art. 28 GDPR (decision dated 31.01.2023). The decision is based on the final report of the DSK Working Group Microsoft Online Services.

The DSK first states that the mere risk that a third-country parent company or third-country government bodies could instruct EEA companies to transfer personal data to a third country is not sufficient for the assumption of a third-country transfer within the meaning of Art. 44 et seq. GDPR. However, such a risk could result in processors lacking the required reliability under Art. 28 GDPR if they have not taken sufficient safeguards, for example, to prevent third-country transfers based on third-country law. To the extent that a standard or practice of a third country that may require processing of personal data that is unlawful under EU law is applicable to an EEA subsidiary of a third country company, particularly high standards are to be applied to the background check. The alleged exclusive processing of the data by the EEA company is not sufficient in this respect. Rather, a comprehensive examination of the individual case is required, taking into account the third-country regulations and the hedging measures taken by the company.

Finally, the DSK explicitly points out that the data controller must be able to demonstrate that a processor meets the requirements of the GDPR, in particular those of Art. 28 GDPR, in terms of reliability, expertise and resources.

(Christina Prowald)

BSI: Many software products for online stores are insecure

As part of a study, the German Federal Office for Information Security (BSI) examined the security features of software products that online retailers can use to create their web stores and published the results of the study on February 27, 2023 (press release dated 27.02.2023).

During the investigation, the BSI identified a total of 78 security vulnerabilities, some of which have a significant impact on the security of consumers’ data. Most importantly, almost all products had an inadequate password policy. JavaScript libraries were identified as having known vulnerabilities in 7 out of 10 cases. Software for which security updates are no longer available was also found in half of the products examined. The BSI has addressed the software manufacturers with its findings and called on them to provide updates for the identified vulnerabilities. Operators of online stores were also advised to implement available security updates promptly or to switch to unaffected products.

BSI Vice President Dr. Gerhard Schabhüser commented: “This study shows that the responsibility for secure online shopping lies on both the manufacturer and the retailer side. To reduce the risk of future data leakage incidents and achieve a sustainable increase in the IT security level of online stores, software manufacturers must regularly conduct vulnerability analyses – in the BSI’s view, already during product development.”

The final report also contains guidance for operators of online stores.

(Christina Prowald)

ECJ: Stricter national rules on the dismissal of a data protection officer are in line with European law

The European Court of Justice (ECJ) ruled on February 9, 2023, that a stricter national regulation on the dismissal of a data protection officer in relation to the requirements of the GDPR is compatible with EU law (ECJ, decision dated 09.02.2023 – Ref. C-560/21). Specifically, the proceedings concerned the German provision of Section 6 (4) of the German Data Protection Act (BDSG), which requires the existence of good cause for the dismissal and termination of the internal data protection officer. The GDPR itself, however, does not provide for corresponding requirements in Art. 38 (3) GDPR.

The court stated that data protection officers should be able to exercise their office in complete independence. Art. 38 (3) (2) GDPR also serves this objective. Ultimately, it follows that each Member State is free to provide for stricter rules for the dismissal of the data protection officer, provided that these are compatible with the GDPR, specifically with Art. 38 (3) (2) GDPR. However, stricter protection should not compromise the achievement of the objectives of the GDPR. This would be the case if the protection also prohibited any dismissal of a data protection officer who no longer has the necessary qualifications to perform his or her duties, or who does not perform his or her duties in accordance with the GDPR. In this respect, the ECJ concludes that a national regulation, according to which an internal data protection officer can only be dismissed for good cause, even if the dismissal is not related to the performance of his or her duties, complies with European law, as long as the regulation does not impair the achievement of the objectives of the Regulation.

(Christina Prowald)

KG Berlin: Unauthorized e-mail advertising in case of insufficient consent

The KG Berlin ruled on November 11, 2022 that, despite the existence of consent of the person concerned, it is to be assumed that there is unlawful advertising by e-mail if a newsletter is sent more frequently than specified in the consent (KG Berlin, decision dated 22.11.2022 – Ref. 5 U 1043/20).

The court assessed the newsletter mailing in question as unreasonable harassment within the meaning of Section 7 (1) UWG. This is always assumed to be the case if advertising is sent by e-mail without the effective consent of the person concerned. A corresponding consent had only been given with regard to weekly advertising by e-mail, but not with regard to a higher frequency. The company had nevertheless sent the person concerned advertising e-mails several times within a week. In this respect, the more frequent sending of the newsletter was not covered by the consent and was therefore unlawful and anti-competitive.

(Christina Prowald)

OLG Hamm: Damages in the amount of 50 euros for unauthorized data storage by a job center

On December 19, 2022, the Higher Regional Court of Hamm ruled that a data subject whose personal and address data were unlawfully stored by a job center in the context of employment administration has at most a claim for damages in the amount of 50 euros (OLG Hamm, decision dated 19.12.2022 – Ref. 11 W 69/22).

In the underlying case, the job center had stored the data of the person concerned even though he had not applied for benefits. In this respect, the court stated that a claim for official liability was ruled out, since the violation of the right to informational self-determination in question had not exceeded the petty threshold in any case. In particular, it had to be taken into account that there had “only” been unauthorized storage for a manageable period of time, whereas the data had not been reused without authorization or passed on to third parties. The data protection breach only slightly incriminates the data subject. However, a claim for damages pursuant to Art. 82 GDPR is possible. It is currently being disputed whether non-material damages are possible if there has been no significant infringement of the right of personality. However, there was no evidence from the facts of the case that would justify a compensation payment of more than 50 euros for pain and suffering. This would also apply if the provisions of the GDPR were interpreted as far as possible in favor of the data subject.

(Christina Prowald)

France: fine of 5 million euros against Tiktok

The French supervisory authority Commission nationale de l’informatique et des libertés (CNIL) imposed a fine totaling 5 million euros on the social media platform Tiktok on December 29, 2022 (press release dated 12.01.2023). Both Tiktok Information Technologies UK Limited and Tiktok Technology Limited of Ireland, as joint controllers, must each pay 2.5 million euros.

The reason for imposing the fine was the cookie banner implemented on the companies’ website, which did not provide users with an option to reject technically unnecessary cookies that was equally as simple as accepting the cookies in question. During its investigation, CNIL found that the cookie banner contained only one “Accept” button, while rejecting cookies required the activation of several buttons. The regulator also criticized the fact that Tiktok did not inform website visitors in sufficient depth about the cookies used on the website and their purposes.

(Christina Prowald)

EU Commission plans adaptation of the GDPR

The EU Commission’s plans for an adaption of the GDPR are slowly becoming more concrete. An initial improvement initiative has been announced for the second quarter, which is primarily aimed at better enforcement of the requirements of the GDPR. The initiative was likely prompted by dissatisfaction with the actions of individual data protection supervisory authorities. The focus here is primarily on the Irish authority (Data Protection Commission – DPC), which should in itself be the lead supervisory authority for numerous large IT groups that have their European headquarters in Ireland. Before a concrete proposal to adapt the GDPR is made, interested bodies may publicly comment on the project, for which a separate page has been set up.

(Dr. Sebastian Meyer)

On our own account: BRANDI Taster Day

Our BRANDI taster day took place on February 20, 2023. As part of the event, scholarship holders from the Studienfonds OWL Foundation had the opportunity to get to know the day-to-day work in the field of data protection law and to work together with the data protection team to develop solutions for various data protection issues. The BRANDI Rechtsanwälte Partnerschaft mbB has been supporting the Studienfonds OWL Foundation in the promotion of young talents from the field of law since 2015.