Dear readers,

The Big Brother Awards were presented in Bielefeld on April 29, 2022. The data protection negative award (dis)honors data malpracticers from business and politics. The jury of data protection experts, which this year included Thilo Weichert, the former data protection officer of the state of Schleswig-Holstein, and Frank Rosengart of the "Chaos Computer Club", awarded prizes in various categories to Lieferando, the German Federal Criminal Police Office, the Irish data protection authority, the German Federal Printing Office and Klarna. Criticisms included the inadmissible monitoring of employees, the storage of data in violation of data protection, and the non-transparent bundling and evaluation of data.

In our data protection newsletter, we regularly inform you about current developments in data protection law. As usual, this issue also contains articles on events in data protection law, including information from the German Data Protection Conference (DSK) on data protection-compliant online commerce via guest access, decisions by the German Federal Court of Justice (BGH) and the Fiscal Court Berlin-Brandenburg on the right of access pursuant to Article 15 GDPR, and current developments at the European level on the topic of artificial intelligence. In our focus topic, we inform you about data transfers within company groups.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Data transfers within organizations

The existence of a legal basis is generally required for data processing operations within a group of companies and, in particular, for the transfer of personal data to other companies within the group. In this respect, data processing within the group is also subject to the “prohibition with reservation of permission” set out in the General Data Protection Regulation (GDPR), according to which any processing of personal data requires the existence of an authorization under data protection law.

Groups or companies belonging to groups are subject to the term “group of undertakings” under data protection law, which the GDPR defines in Article 4 No. 19 as a controlling undertaking and its controlled undertakings. From the perspective of data protection law, companies in such a group of undertakings are also independent entities in principle. Accordingly, not only the classic transfer of data in the sense of a direct transfer, but also the mere retrieval or access by a group company to data assigned to another group company as the data controller – for example in the case of shared databases or group-wide directories – must be qualified as a transfer of data to another company and thus as data processing requiring justification.

The GDPR does not provide a special legal basis for data transfers within a group (so-called “group privilege”). Only recital 48 contains information on the transfer of data within a group of undertakings on the basis of weighing of interests. The German Federal Data Protection Act (BDSG) also lacks a corresponding privileging regulation, so that the exchange of data between companies belonging to the same group must be governed by the general permissive provisions, in particular those of Article 6 GDPR.

The additional requirements arising from the GDPR, for example for the processing of special categories of personal data from Article 9 GDPR or for the transfer of data to third countries from Article 44 ff. GDPR, must also be observed in principle for data processing within the group.

To the complete main topic

Higher Labor Court Cologne: Access to private data may constitute grounds for dismissal

The Higher Labor Court Cologne has ruled that an employer may be entitled to terminate an employment relationship without notice if an employee obviously accesses private data of a work colleague that the latter has stored on the company IT systems (Higher Labor Court Cologne, decision dated November 2, 2021, Ref. 4 Sa 290/21).

The background to the labor court proceedings was a dismissal by the employer against an employee who – allegedly for the purpose of preserving evidence – had obviously looked through the private communications data of a work colleague and saved them separately. According to the employee’s argumentation, it was possible that the recognizably private data could have provided evidence of misconduct relevant under criminal law. In the first instance, the employee’s action for protection against unfair dismissal at the Labor Court was still successful (Labor Court Aachen, decision dated April 22, 2021, Ref. 8 Ca 3432/20). The Labor Court had argued that, in view of the lack of intent to harm, a warning would have sufficed in the specific case and that the immediate extraordinary dismissal was therefore disproportionate. This decision was rightly overturned by the Higher Labor Court. The court explained that the employee should have been aware that she was viewing and storing data that was not intended for her without sufficient authorization. Even if the employee believed that the data should have been saved to preserve evidence, it would not have been her responsibility to do so on her own authority. It is then also irrelevant whether the work colleague should have been allowed to store the private data on the systems at all.

The decision once again demonstrates the importance of the confidentiality of personal data, even if it is technically retrievable but may not be accessed. Employees are usually obligated by their employers to maintain the confidentiality of personal data in precisely this case, or are at least informed of this. At most, the requirement can be problematic for employees from the IT department if they have to check and evaluate whether other employees are using the IT systems properly as part of their job. In this relationship, different standards may have to be applied than for other employees who are obviously not allowed to access private data of work colleagues.

(Sebastian Meyer)

BGH: Abuse of the right of access under the GDPR

In a decision dated March 29, 2022, the German Federal Court of Justice (Bundesgerichtshof, BGH) referred several questions to the European Court of Justice (ECJ) for a preliminary ruling on the right of access pursuant to Article 15 GDPR (BGH, decision dated March 29, 2022, Ref. VI ZR 1352/20).

In the case on which the decision was based, the plaintiff requested that the defendant dentist provide him with a copy of all the medical records relating to him that existed at the defendant’s premises free of charge. The reason for the demand for surrender was what the plaintiff considered to be incorrect treatment by the defendant. The defendant, on the other hand, was of the opinion that a copy of the patient’s file only had to be handed over against reimbursement of costs. Pursuant to Section 630g (2) BGB (German Civil Code), a patient may request a copy of his or her medical record, but must reimburse the costs incurred by the treating provider. According to Article 15 (3) (1) GDPR in connection with Article 12 (5) GDPR, however, a data subject may, subject to the other requirements of Articles 12 and 15 GDPR, request that an initial copy of the personal data stored about him or her be provided free of charge. The main question was whether the plaintiff’s right of access under data protection law also exists if its sole purpose is to obtain information in order to assert claims under medical liability law, but no other data protection purposes within the meaning of recital 63 are pursued. In this respect, the BGH was of the opinion that this question could not be answered unambiguously either a priori or on the basis of the previous case law of the Court of Justice and for this reason referred various questions to the ECJ for a preliminary ruling.

The ECJ is now to clarify in particular whether the right to receive a copy of the personal data stored about the data subject also exists if the data subject requests the documents for the pursuit of legitimate but non-data protection purposes. Specifically, the BGH asked whether Article 15 (3) (1) in connection with Article 12 (5) GDPR should be interpreted as meaning that the controller is not obliged to provide the data subject with an initial copy of his or her personal data processed by the controller free of charge if the data subject does not request the copy in pursuit of the purposes set out in recital 63 p.1 to the GDPR, to become aware of the processing of his or her personal data and to be able to verify its lawfulness, but pursues another – non-data-protection-related but legitimate – purpose. If the answer to this question is no, the BGH would like to know downstream whether and to what extent the claim resulting from Article 15 in connection with Article 12 GDPR can be limited by other national regulations, such as those of Section 630g (2) GDPR, and what the scope of the data protection claim is.

(Christina Prowald)

Fiscal Court Berlin-Brandenburg: Right of access from the tax office

In its ruling of January 26, 2022, the Fiscal Court Berlin-Brandenburg ruled that the right of access under data protection law as set out in Article 15 GDPR also exists in principle vis-à-vis the tax office in the case of direct taxes (Fiscal Court Berlin-Brandenburg, decision dated January 26, 2022, Ref. 16 K 2059/21). However, with regard to information providers who process large amounts of data, the claim does not exist unconditionally and without any obligation to provide reasons. Rather, a corresponding request for information must be sufficiently specified and can be refused if the request is excessive.

In the underlying case, the plaintiff demanded information from his tax office about the data stored about him over the last 50 years, including data from external audits of third parties, all internal notes and correspondence, all transaction data, data provided by third parties and about third parties, as well as contracts and other documents. The reason for the request was a tax audit carried out on the plaintiff’s wife in connection with income from self-employed work, in the course of which the plaintiff’s mobile phone number was sent by the tax auditor to his wife’s professional e-mail address by means of an unencrypted e-mail for the purpose of coordinating an appointment without his consent.

The court stated that, although the claim existed on merits, the plaintiff’s request was to be assessed as excessive within the meaning of Article 12 (5) GDPR, both in terms of substance and time, and was therefore rightly denied by the defendant. In the opinion of the Fiscal Court, the plaintiff’s request does not serve the purpose of ensuring the protection of the plaintiff’s privacy in the processing of data relating to him. Rather, the plaintiff was attempting to abuse the claim under Article 15 GDPR in order to gain access to entire files of administrative documents relating to him.

(Christina Prowald)

Regional Court Cologne: No claim for erasure of an entry from the Schufa file

In its ruling of February 16, 2022, the Cologne Regional Court ruled that Schufa may store an entry on a discharge of residual debt for a period of three years on the basis of overriding legitimate interests (Regional Court Cologne, decision dated February 16, 2022, Ref. 28 O 221/21).

In the case to be decided, the plaintiff requested that Schufa delete an entry on a discharge of residual debt from the debtor file following insolvency proceedings. According to the plaintiff, the entry prevented him from renting an apartment and obtaining a real estate loan and brought disadvantages with regard to the conclusion of various contracts. The defendant countered that the discharge of residual debt was intended to prompt potential lenders to take a special look at the plaintiff’s creditworthiness. The previously existing massive indebtedness was still in need of explanation to a lender, so that the storage of the entry was necessary. In this respect, a storage period of three years was appropriate.

The court found that there was no claim by the plaintiff against the defendant for erasure of the registration under Article 17 (1) GDPR, stating that the data processing was neither unlawful from the outset nor no longer necessary for the purposes for which the data were collected. The defendant has a legitimate interest within the meaning of Article 6 (1) (1) (f) GDPR in the storage of the entry, which outweighs the interests of the plaintiff. The provision of information in credit-related transactions is necessary to balance the information disparity between lender and borrower. The purpose of the data processing by the defendant is to enable lenders to make an accurate and objective assessment of the creditworthiness of the potential contract partner. In this respect, a discharge of residual debt is a relevant piece of data for any credit assessment and is of interest for the assessment of creditworthiness. A storage period of three years also does not contradict the principles of the GDPR. The decision of the Cologne Regional Court is not yet final.

(Christina Prowald)

DSK: Data protection-compliant online commerce via guest access

The Data Protection Conference (DSK), the association of independent data protection supervisory authorities at federal and state level, published guidance on data protection-compliant online commerce via guest access on March 24, 2022.

The principle of data minimization from Article 5 (1) (c) GDPR, according to which only such data may be collected as is necessary for the processing of a specific transaction, also applies in online commerce. Against this background, “responsible parties who offer goods or services in online commerce […] must in principle provide their customers [according to the DSK] with guest access (online business without creating an ongoing customer account) for ordering, regardless of whether they also provide them with registered user access (ongoing customer account).

The DSK stated that it cannot be assumed that customer data may also be retained for possible but uncertain future transactions. In the DSK’s view, active customer consent is required for setting up a customer account and storing data for a longer period of time. With regard to customers who do not wish to enter into a long-term business relationship or do not wish to provide any additional data beyond that required to process the transaction, an order option must be provided via guest access. Guest access must enable customers to access the same offers and must also be equivalent in all other respects. The required equivalence shall be given if the customer does not suffer any disadvantages compared to ordering via a customer account.

In addition, the DSK generally points out that explicit consent must be obtained from the customers concerned even for the evaluation of data collected in the course of creating a customer account, and that the associated processing operations are not already covered by the general consent to create the customer account. In addition, customers must be comprehensively informed about data protection law both when ordering via guest access and when creating a customer account.

(Christina Prowald)

European Parliament: Artificial intelligence

The European Parliament has adopted the final recommendations of the Special Committee on Artificial Intelligence in a Digital Age (AIDA) (press release of May 3, 2022). The committee’s final report, which also incorporated the result of numerous hearings and debates, contains a “roadmap” and recommendations for action on how to deal with artificial intelligence (AI) by 2030.

The report addresses the potential of artificial intelligence to complement human activities and points to the need for the EU to lead the world in AI standards. Particular attention is paid to the areas of health, the environment and climate change. Artificial intelligence, in combination with the necessary infrastructure and related education, has the potential to increase capital and labor productivity, sustainable growth and innovation, and create jobs. At the same time, however, Parliament stressed that the introduction of artificial intelligence also raises extremely relevant ethical and legal issues, and that certain technologies may increase the risk of unlawful interference and pose a threat to fundamental rights. In this respect, effective mechanisms for the effective protection of fundamental rights must be developed. The rapporteur Axel Voss stated in this regard: “The EU now has the unique chance to promote a human-centric and trustworthy approach to AI. One that is based on fundamental rights, which manages risks while taking full advantage of the benefits AI can bring for the whole of society. We need a legal framework that leaves space for innovation, and a harmonized digital single market with clear standards. We need maximum investment and a robust and sustainable digital infrastructure that all citizens can access.”

Among other things, the recommendations are intended to serve as a basis for further parliamentary work on the AI issue and, in particular, the AI Act, which is currently being discussed in the Internal Market and Consumer Protection and the Civil Liberties, Justice and Home Affairs committees and is expected to be adopted at the end of September this year.

The AIDA Committee was tasked in 2020 with examining the impact of artificial intelligence on the EU economy, analyzing how other countries are dealing with artificial intelligence, and identifying options for the future.

(Christina Prowald)

Pangea Net: Newsletter of the DICL Practice Group

On the occasion of the fourth birthday of the General Data Protection Regulation on May 25, 2022, the practice group “Data, Information & Cyber Law” (DICL) of our international partner network Pangea Net has published a newsletter.

Pangea Net is an association of independent law firms from over 25 countries to form an international law firm network. The practice group for data protection and IT law consists of experts in IT and data protection law from the various law firms.

In the current issue, you will find contributions from ten countries on the most important trends in data protection law over the past four years. The focus is primarily on topics such as cookies, cloud services, video surveillance and facial recognition services. The German contribution was written by Dr. Sebastian Meyer and Johanna Schmale from the BRANDI data protection team.

The newsletter with the respective country reports and further information can be downloaded free of charge from the homepage of Pangea Net.

(Christina Prowald)