Dear readers,

Our BRANDI-Data Protection Law Day on May 24, 2024, is approaching and we are looking forward to interesting discussions on the topic of “Security begins with data protection”. It is still possible to register for the event; we have summarized the information regarding the registration option for you once again in this newsletter.

As usual, we also report on current events in data protection law, including a decision by the ECJ on claims for damages under Article 82 GDPR, a decision by the Federal Court of Justice on the deletion of the data of a GmbH managing director and a limited partner from the commercial register, a decision by the Düsseldorf Regional Court on the consequences of a delay in providing information and a decision by the French supervisory authority to impose a fine.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Messenger services within the company

The use of messenger services has become an integral part of everyday business life. This applies to internal company communication on the one hand and communication with customers on the other. From the company's point of view, the main advantages are easier accessibility for employees without a fixed PC workstation, more personal communication with customers and target group-oriented accessibility. On the contrary, it is often problematic that messenger services have extensive access to and analyze the data and metadata stored on users' mobile devices.

If WhatsApp & Co. are used in the company, it is therefore important to comply with the relevant data protection requirements.

To the complete main topic

On our own account: BRANDI-Data Protection Law Day

In our data protection newsletters of the past months, you have already received an invitation and information about our Data Protection Law Day on May 24, 2024, as well as the registration options. Together with you and external experts, we would like to discuss the topic of “Security begins with data protection” at the event.

It is still possible to register for the event using the following link: https://www.brandi.net/en/news/detail/4-brandi-datenschutzrechtstag-praesenzveranstaltung-am-24052024/

If there are specific questions you would like to discuss at the event, you can send them to us in advance at the following e-mail address: WissMit-DatenschutzBI@brandi.net. You will also have the opportunity to ask questions during the event and actively participate in the discussion. We will of course also be happy to answer any organizational questions you may have in the run-up to the event.

We look forward to a large number of participants at the event!

(Christina Prowald)

New data protection rules for China

On March 22, 2024, the Cyberspace Administration of China (CAC) issued new regulations to facilitate cross-border data flows (notice of 22.03.2024). The provisions came into force on the day of publication.

In certain cases, the new regulations exempt data exporters from the strict requirements that otherwise apply to international data transfers. Until now, data exports from China had to be secured by means of a security check, certification or the conclusion of standard contractual clauses provided by the CAC. Under the new regulations, such safeguards are not required in various exceptional cases as long as no sensitive information is transferred. Multinational corporations in particular can benefit from the simplifications. Among other things, the provisions standardize exceptions for cross-border personnel administration, the cross-border conclusion of contracts with individuals, the transfer of data in emergency situations to protect the life, health and safety of natural persons and the transfer of small amounts of data.

(Christina Prowald)

ECJ: Amazon must provide advertising archive for online advertising

In its ruling of March 27, 2024, the ECJ rejected Amazon's application for suspension of the obligation to make an advertising archive publicly accessible (ECJ, decision of 27.03.2024 - Ref. C-639/23 P(R)). The interests of the European Commission would take precedence over those of Amazon, which is why the application for suspension was denied in the interim relief proceedings.

The background to this was the decision by the European Commission on April 23, 2022, according to which Amazon was classified as a very large online platform in accordance with Regulation (EU) 2022/2065 on a single market for digital services (Digital Services Act). This results, among other things, in Amazon's obligation to make an advertising archive with detailed information for online advertising publicly accessible. Amazon sought interim relief against this decision and at the same time applied to the ECJ for a declaration of nullity. By order of March 27, 2023, the decision was initially ordered to be suspended (ECJ, decision of 13.12.2023 - Ref. C-639/23 P(R)), against which the Commission has lodged an appeal.

The ECJ is of the opinion that an unlawful restriction of Amazon's right to respect for private life, which is also granted to companies and entrepreneurial freedom through the introduced obligation to make advertising archives publicly accessible, is not excluded from the outset. Nor can it be ruled out that Amazon will suffer serious, irreparable damage without the suspension until the final judgment in the main proceedings, which may annul the Commission's decision. However, the interest of the Union legislator in achieving the objectives of the Digital Services Act, which are intended to prevent a threat to fundamental rights in the online environment, must be included in the relevant balancing of interests. This took precedence over Amazon's material interests, which is why the application to suspend the Commission's decision was ultimately rejected. The final judgment in the case will be issued later.

(Gesche Kracht)

ECJ on the claim for damages under Article 82 GDPR

In its judgment of April 11, 2024, the ECJ further differentiated the existing case law on claims for damages under Article 82 GDPR (ECJ, decision of 11.04.2024 - Ref. C-741/21). In the main proceedings, the plaintiff had brought an action for damages under Article 82 (1) GDPR due to the repeated receipt of advertising letters after objecting to the use of his personal data. The trial court then referred various questions to the ECJ, in particular on the concept of non-material damage and the assessment of the claim for damages.

Following on from previous case law, the ECJ states that the infringement of provisions of the GDPR that confer rights on the data subject is not in itself sufficient to justify a claim for damages. With reference to recital 85, the ECJ clarifies that the "loss of control" asserted by the plaintiff is in principle covered by the concept of damage. With regard to the assessment of the claim for damages, the court points out that it is up to the Member States to define criteria for determining the amount of compensation, while respecting the principles of effectiveness and equivalence under EU law. The criteria set out in Article 83 GDPR are not transferable due to the different objectives. While Article 83 GDPR regulates the conditions for the imposition of fines and thus pursues a punitive purpose, Article 82 GDPR rather has a compensatory function. For these reasons, the amount of compensation should not be influenced by the severity of the infringement and a repeated infringement against the same data subject is not a relevant criterion.

Furthermore, the ECJ found that it is not possible to exempt the controller from liability by making a blanket reference to the misconduct of subordinates. Liability under Article 82 (3) GDPR would be too easy to circumvent, which would significantly reduce the effectiveness of the claim for damages. Taking into account the objective of a high level of protection for personal data, which the GDPR is intended to ensure, the loss of this effectiveness would run counter to this objective. The exemption from liability under Article 82 (3) GDPR should therefore be strictly limited to cases in which the controller can prove that there is no causal link between their conduct and the damage. It is not sufficient for the controller to prove that it issued instructions to a person under its authority within the meaning of Article 29 GDPR that were not complied with.

(Gesche Kracht)

BGH on the deletion of the data of a GmbH managing director and a limited partner from the commercial register

On January 23, 2024, the BGH ruled that Article 17 (1) GDPR does not entitle the managing director of a GmbH to have his data deleted from the commercial register (BGH, decision of 23.01.2024 - Ref. II ZB 7/23).

The applicant is the managing director of a limited liability company and is entered as such in the commercial register. Because there was a risk of a criminal offense being committed against him due to his professional handling of explosives, he applied to the competent registry court to have his date of birth and place of residence removed from the commercial register. The registry court rejected this, whereupon the applicant first lodged a complaint and then an appeal on points of law with the Federal Court of Justice.

In its decision, the BGH states that a claim for removal of the information in the commercial register does not arise either from the GDPR or from national law. The applicant's request to remove the data from the commercial register is generally covered by Article 17 GDPR. However, even if one of the reasons for deletion of the personal data of a data subject listed in Article 17 (1) GDPR existed, the claim was excluded under Article 17 (3) (b) case 1 GDPR. The entry of the date of birth and place of residence of a GmbH managing director in the commercial register is a legal obligation of the register court arising from Section 10 (1) (1) GmbHG, Section 387 (2) FamFG, Section 43 No. 4 (1) (b) HRV. Finally, there is also an obligation to disclose the registered data for information purposes in accordance with Section 9 (1) HGB. The processing also satisfies the lawfulness requirement of Article 6 (1) GDPR, as the legal obligation of the registry court pursues an objective in the public interest within the meaning of Article 6 (3) (2) and (4) GDPR. There were no indications of a specific risk to the applicant.

The alternative request for a restriction on the disclosure of the data to the effect that it would only be transferred to third parties after a balancing of interests was also rejected. The BGH stated that none of the grounds for restricting data processing listed in Article 18 (1) (a) to (d) GDPR apply. You can find out more about this in our detailed blog post on this topic.

(Gesche Kracht)

OLG Celle rejects appeal in mass proceedings

The Higher Regional Court of Celle dismissed the appeal in an action relating to data scraping on the grounds that the grounds of appeal did not meet the requirements of Section 520 (3) Nos. 2 and 3 ZPO and, in particular, were not tailored to the specific case in dispute (OLG Celle, decision of 04.04.2024 - Ref. 5 U 77/23).

At first instance, the Hildesheim Regional Court dismissed an action for damages and injunctive relief against Facebook. The background to the proceedings was the emergence of Facebook user data on the internet (so-called data scraping incident), which numerous courts had already had to deal with in similar cases in the past. In his appeal, the plaintiff continued to pursue the first-instance claims.

In the opinion of the Higher Regional Court of Celle, the grounds of appeal did not meet the applicable requirements in this respect. In particular, the statement of grounds was not tailored to the regional court judgment, rather it was a document made up of text modules that was obviously created for using it more or less unchanged in terms of content for a large number of appeal proceedings. The plaintiff's argument that these are so-called mass proceedings, which is why the legal explanations are necessarily the same in all parallel cases due to the identical GDPR violations and are therefore not contrary to procedural law, does not apply. The legal questions, which are identical at the outset, do not release from the requirement that each individual grounds of appeal must be tailored to the respective first instance judgment, especially since these could also differ in their reasoning. An examination of the specific reasoning of the regional court did not take place here.

With its decision, the Higher Regional Court of Celle has once again tightened the requirements for the grounds of appeal in mass proceedings with reference to the statutory provisions.

(Gesche Kracht)

OLG Oldenburg: Loss of control does not justify a claim for damages under Article 82 GDPR

The Oldenburg Higher Regional Court also had to deal with a data scraping incident in a complaint procedure. Specifically, the case involved unknown persons using a complex technical procedure to gain access to numerous telephone numbers of users of the Facebook platform and then publishing this information. The court found that a loss of control over the personal data did not in itself constitute damage (OLG Oldenburg, decision of 20.02.2024 - Ref. 13 U 43/23; GRUR-RS 2024, 2789). 

In the proceedings at first instance, the plaintiff sued for damages in accordance with Article 82 (1) GDPR. He based his claim on the fact that he had suffered a considerable loss of control over his data due to the disclosure of his data as part of the scraping incident and has since suffered great discomfort and concern regarding the possible misuse of his data.

The Oldenburg Higher Regional Court dismissed the appeal against the judgment of the court of first instance, which rejected a claim for damages. The loss of control suffered did not in itself constitute damage. With reference to ECJ case law, the OLG stated that although the loss of control over one's own data could in principle justify a claim for compensation, the plaintiff must also demonstrate specific material or immaterial damage. A loss of control without consequences does not constitute immaterial damage. Concerns, fears and anxieties about possible future misuse in such a way that these would constitute immaterial damage could not be established even after hearing the plaintiff.

 (Gesche Kracht)

OLG Brandenburg: Annoyance, discomfort and stress do not justify a claim for damages

The Higher Regional Court of Brandenburg has rejected a claim for damages by the plaintiff against the defendant under Article 82 GDPR due to the delay in responding to a request for information under Article 15 GDPR (OLG Brandenburg, decision of 05.03.2024 - 12 U 132/23; GRUR-RS 2024, 4611). Compensation for non-material damage is not dependent on this exceeding a certain materiality threshold. However, this does not mean that the affected party is exempt from proving the negative consequences for them and the specific damage. A generally alleged loss of control cannot in principle constitute damage. If the plaintiff claims annoyance, discomfort and stress, he must present concrete evidence on which his psychological impairment can be based. Damage could also occur if a data subject fears that their data will be misused by third parties because of a breach of the GDPR. In this respect, it must be examined whether the fear can be considered justified. In the case in question, the plaintiff had presented neither one nor the other. However, damage must be proven by the person concerned, which is why the claim must be rejected.

(Christina Prowald)

LG Düsseldorf: Delayed information pursuant to Article 15 GDPR is an infringement of competition law

According to the Regional Court of Düsseldorf, the late response to a request for information pursuant to Article 15 GDPR can also constitute a breach of competition law that can be prosecuted by the consumer advice center (LG Düsseldorf, decision of 15.03.2024 - Ref. 34 O 41/23).

In the case underlying the decision, the operator of the Peek & Cloppenburg online store wrote to a customer and reminded him of outstanding claims. The customer stated that he had not ordered any goods but had been the victim of identity theft and asserted his claim under Article 15 GDPR. The defendant only complied with this claim two months later and therefore late. The consumer advice center subsequently filed a lawsuit against the company and demanded that it cease and desist from providing late information in the future.

The Regional Court of Düsseldorf now found that the defendant had indisputably not complied with the deadline of Article 15 GDPR. The infringement of the GDPR also constituted an infringement of competition law, as Article 12 (3) and 15 GDPR are market conduct provisions within the meaning of Section 3a UWG. The infringement is also likely to significantly affect the interests of consumers, other market participants or competitors.

(Christina Prowald)

LG Stuttgart and LG Freiburg on the claim for damages due to API bug at X

The Regional Court of Stuttgart and the Regional Court of Freiburg have ruled on data protection claims in connection with an API bug at X (formerly Twitter). An API bug is an open interface between two software components and enables third parties to obtain the system-side identification number of the respective user (assigned by X) by entering random email addresses or telephone numbers. Hackers can then use random hits to access further personal user data.

On January 24, 2024, the Regional Court of Stuttgart ruled that the plaintiff was not entitled to claim damages under Article 82 GDPR against company X (LG Stuttgart, decision of 24.01.2024 - Ref. 27 O 92/23). The court stated that the claim for damages presupposed that the plaintiff's account was affected by the API bug. However, the plaintiff had not been able to prove this in full. The reference to the internet platform , by means of which it should be possible to check whether an account is affected by the bug, was not sufficient in this respect. Although the site indicates that the plaintiff is affected, it is unclear how the site determines whether individual users are affected. How the website is supposed to have reliable knowledge of which accounts are affected by the bug remains open in this respect. The submission of an increased volume of spam by the plaintiff is also not sufficient evidence.

In contrast, on February 8, 2024, the Regional Court of Freiburg awarded an affected party a claim for damages in the amount of 100 euros due to the API bug at X (LG Freiburg, decision of 08.02.2024 - Ref. 8 O 212/23). It is of the opinion that the plaintiff had provided sufficient evidence of his own involvement by referring to the website . The defendant had not refuted this either. Furthermore, the court stated that the defendant had violated Article 24, 32, 5 (1) (f) GDPR by not taking sufficiently appropriate technical and organizational measures. In addition, the court found a violation of Article 33 (1) GDPR. In the court's opinion, the plaintiff also suffered causal damage because of the defendant's infringements. The damage did not lie in the increased volume of spam emails cited by the plaintiff, but in the credibly described fear of misuse of his email address by third parties.

(Christina Prowald)

LG Mannheim on data scraping on Facebook

On March 15, 2024, the Regional Court of Mannheim awarded a plaintiff a claim for damages in the amount of 50 euros against Facebook for unauthorized data scraping on Facebook (LG Mannheim, decision of 15.03.2024 - Ref. 1 O 99/23).

The court first found that Facebook had violated Article 25 and 32 GDPR. It was also convinced that the plaintiff was affected by the scraping incident. In a search on www.haveibeenpwnd.com, the plaintiff's number was listed as having been scraped. The site could generally be regarded as a reliable source. The plaintiff also suffered non-material damage because of the scraping incident. The loss of control over personal data alone does not constitute immaterial damage. However, the plaintiff had also stated that he was worried about his data. For him, it was as if he had lost his front door key. The plaintiff's statements were differentiated, which is why he is entitled to an amount of 50 euros for the damage suffered.

(Christina Prowald)

DSK statement on the new draft of the BDSG

In February 2024, the Federal Government presented a draft bill to amend the Federal Data Protection Act (BDSG). The Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) has now commented on this (statement of 12.04.2024).

Among other things, the draft bill provides for the statutory establishment and institutionalization of the DSK. In this respect, the DSK has pointed out that the relevant regulation should be expanded and the objectives of the DSK should be included in the provision. The DSK also emphasizes the need for a permanent office. The DSK even expresses concerns regarding the compatibility of the new regulations on the protection of business and trade secrets and on scoring with the provisions of the GDPR. In this respect, it also points out various ambiguities and the need for improvements. In addition, the DSK criticizes a new regulation according to which no fines can be imposed on authorities or other public bodies. There is also a need for fines in the public sector in order to highlight the seriousness of an infringement and prevent data protection violations. The newly proposed regulation should therefore be deleted.

(Christina Prowald)

France: Fine of 525,000 euros against HUBSIDE.STORE

On April 4, 2024, the French supervisory authority (CNIL) imposed a fine of 525,000 euros on HUBSIDE.STORE. The company had obtained data from data brokers and used it for commercial purposes without first ensuring that the data subjects had given their consent (communication of 09.04.2024).

HUBSIDE.STORE carried out various advertising campaigns by telephone and SMS. The company purchased the data of the advertising addressees from various data brokers. However, in the CNIL's view, the latter used misleading forms that could not be used to obtain effective user consent for data processing in order to collect the data subjects' information. HUBSIDE.STORE subsequently violated the GDPR and French law with its advertising campaigns, as there was no effective legal basis for the data processing due to the inadequate declarations of consent. CNIL pointed out that companies that acquire data for advertising purposes must ensure that the data subjects have given valid consent and found that HUBSIDE.STORE had not effectively checked this. In addition, the supervisory authority criticized the company for not sufficiently complying with its information obligations under Article 14 GDPR, as it did not provide the data subjects with the information necessary to exercise their rights.

 (Christina Prowald)