Dear readers,

On the occasion of a recently published guideline from the German Data Protection Conference (DSK) on the processing of personal data for purposes of direct advertising, we provide advice on the data privacy-compliant use of direct advertising in our current focus topic. In our data protection newsletter, we also provide information on other current data privacy topics, such as a fine of 1.9 million euros imposed on a housing association by the State Data Protection Officer in Bremen.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Direct advertising and data protection

Advertising is an important means for companies to address and win customers, to increase their own visibility and to increase sales. According to Article 2(a) of the UCP Directive (EU Directive 2006/114 EC of December 12, 2006) concerning misleading and comparative advertising, the term "advertising" includes "the making of a representation in any form in connection with a trade, business, craft or profession in order to promote the supply of goods or services, including immovable property, rights and obligations". According to this broad understanding of the term, this includes all activities of a company which are aimed at promoting the sale of its products or services. Direct advertising is characterized by the direct addressing of the target person, for example by mail, e-mail or telephone.

Direct advertising measures are regularly accompanied by the processing of personal data. In this respect, responsible companies must comply with the relevant provisions of data protection law. On February 18, 2022, the German Conference of the Independent Federal and State Data Protection Authorities (Data Protection Conference, DSK), published its guideline on the processing of personal data for direct advertising purposes under the GDPR, in which it addresses the special data protection features of direct advertising. The guidance can be drawn upon to help choose the correct procedure when using direct advertising.

To the complete main topic

Basic agreement on "Trans-Atlantic Data Privacy Framework“

The European Commission and the USA have reached an agreement in principle on a "Trans-Atlantic Data Privacy Framework". The new framework is intended to enable the secure transfer of data between the EU and participating U.S. companies. In particular, appropriate protection of data transferred to the U.S. is to be ensured, taking into account the "Schrems II" ruling of the European Court of Justice (ECJ).

In its "Schrems II" ruling in 2020, the ECJ had declared the EU-US Privacy Shield, which until then had been one of the most important bases for data transfers to the USA, to be invalid (ECJ, ruling dated July 16, 2020 - Ref. C-311/18, we reported in our data protection newsletter in August 2020). In the reasoning for its decision, the ECJ criticized the level of data protection in the U.S., in particular legislation such as the CLOUD Act, which allows U.S. intelligence agencies extensive access to data. With similar reasoning, the ECJ had already declared the predecessor regulation, the Safe Harbor Agreement of July 26, 2000 (Commission Decision 2000/520/EC of July 26, 2000), invalid (ECJ, judgment of October 6, 2015 - Ref. C-362/14).

According to information from the European Commission and the White House, the new set of rules and binding guarantees will limit U.S. intelligence agencies' access to data "to what is necessary and proportionate to protect national security". Under the agreement, U.S. intelligence agencies are to establish procedures to ensure effective oversight of the new standards. It also foresees a new two-tiered redress system for investigating and resolving complaints from Europeans about access to data by U.S. intelligence agencies. This includes a special court to review compliance with data protection requirements. It also provides for strict obligations on companies processing data transferred from the EU, as well as specific monitoring and review mechanisms.

In the next steps, corresponding legal documents will now be drawn up on the basis of the agreement in principle. The U.S. commitments will be incorporated into an implementing regulation, which will form the basis for a draft adequacy decision by the Commission to implement the new transatlantic data protection framework. It remains to be seen whether an adequacy decision by the European Commission will actually be adopted as a result and whether such a decision can subsequently withstand a possible judicial review. This will probably require at least a significant restriction of the surveillance powers of U.S. intelligence services.

(Johanna Schmale)

Italian data protection authority: 20 million euro fine against Clearview for unlawful facial recognition

The Italian data protection supervisory authority has imposed a fine of 20 million euros on the American company Clearview AI for the unauthorized use of biometric data (facial recognition) (see the authority's press release of March 09, 2022).

The company Clearview AI specializes in facial recognition with computer systems, using large amounts of image data and artificial intelligence. According to the Italian supervisory authority, Clearview reportedly owns a database of more than 10 million facial images from around the world, extracted from public web sources using web scraping. The company's sophisticated search service, it said, allows AI systems to be used to create profiles based on biometric data extracted from the images. The information could be enriched by information linked to those images, for example, image tags, location data and source websites.

The data protection authority criticized Clearview AI for enabling – contrary to claims – the tracking of Italian nationals and people located in Italy. It said that the investigation had revealed that the personal data in the company's possession was being processed unlawfully and without an adequate legal basis. According to the data protection authority, the company's legitimate interest does not qualify as a legal basis. In its opinion, the company also violated several fundamental principles of the General Data Protection Regulation (GDPR), including the principle of transparency by failing to provide adequate information to users, the principle of storage limitation by not providing information on the period of data storage, and the principle of purpose limitation, as the company processed users' data for purposes other than those for which they were originally put online.

In addition to imposing the fine, the Italian authority required the company to delete the data related to individuals in Italy. It also banned further collection and processing of the data by the company's facial recognition system. In addition, it ordered the company to appoint a representative in the EU to facilitate the exercise of data subjects' rights.

(Johanna Schmale)

Bremen data protection supervisory authority: 1.9 million euro fine against housing association

The Bremen State Commissioner for Data Protection and Freedom of Information has imposed a fine of 1.9 million euros on the housing association BREBAU GmbH (see the authority's press release dated March 3, 2022).

The supervisory authority criticized the company for processing more than 9,500 data on prospective tenants without a legal basis. According to the authority, information about "hair styles, body odor and personal appearance" was not required for the conclusion of tenancy agreements. More than half of the cases involved data that require special protection under the GDPR. For example, information on skin color, ethnic origin, religious affiliation, sexual orientation and state of health had also been processed. The authority also accuses the company of deliberately thwarting requests from data subjects for transparency about the processing of their data.

In the opinion of the authority, a significantly higher fine would have been appropriate due to the significant legal violations. However, BREBAU GmbH had cooperated extensively with the authority in the proceedings, had endeavored to mitigate the damage and clarify the facts itself, and had ensured that such violations would not be repeated, which is why the amount of the fine could be significantly reduced.

(Johanna Schmale)

North Rhine-Westphalian data protection supervisory authority: Instructions for the collection of customer contact data

The North Rhine-Westphalian State Commissioner for Data Protection and Freedom of Information (LDI NRW) has published on its homepage updated guidance on the collection of customer contact data for the purpose of tracing chains of infection in connection with the coronavirus.

In the guidance, the supervisory authority points out that the Corona Protection Regulation currently in force in North Rhine-Westphalia does not provide for a general obligation to collect contact data for the traceability of persons for certain business sectors. However, the processing of contact data of customers, guests and event participants to prevent the spread of the coronavirus can be ordered by the cities and municipalities according to Section 28, 28a of the Law for the Prevention and Control of Infectious Diseases in Humans (IfSG). If such an official order exists, the collection of contact data is permissible for the fulfillment of a legal obligation according to Article 6(1)(1)(c), (3) of the GDPR.

The authority explains, among other things, that permission only relates to contact data and information on the period and place of stay, insofar as this is absolutely necessary for tracking contact persons. Responsible parties must also ensure that unauthorized persons cannot gain knowledge of the data collected, and that the data is destroyed in accordance with data protection requirements after the retention period has expired. The authority also points out the need to comply with the principles of purpose limitation, data minimization and information requirements. Sample forms on the subject, for example regarding information obligations, are available from the LDI NRW on its homepage.

(Johanna Schmale)