Probleme bei der Darstellung des Newsletters? Dann klicken Sie hier für die Webansicht

Newsletter data protection

Dear readers,

As part of the Cyber Study 2024, HDI Versicherung surveyed around 1,500 IT and insurance decision-makers on the risks associated with cyberattacks. The focus was on threats to small and medium-sized enterprises (SMEs).

The study revealed that more and more SMEs are falling victim to cyberattacks. While around 40% of respondents stated that they had already been affected by an attack last year, the figure increased to 53% in the current survey. Although the risk of being affected by an incident was rated as higher than in previous years, the study also revealed that employees' awareness of the risk of attack and damage to their own company drops relatively quickly after an attack. 57% of respondents whose companies had been affected by a cyberattack in the last 12 months rated the risk of another attack as “high” to “very high”. By contrast, if the attack had already occurred three years ago, only 27% of participants were of this opinion.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: The use of Microsoft 365 in the company

Microsoft 365 has become an integral part of the day-to-day work of many companies and institutions. In the area of common Office applications (such as word processing and spreadsheets), Microsoft already has a dominant market share. In addition to the Office applications, the Microsoft 365 offering also includes many other services and functions that considerably simplify and improve day-to-day business and internal organization, for example by integrating the Microsoft Teams or Microsoft SharePoint collaboration programs.

However, the use of Microsoft 365 is viewed critically from a data protection perspective, particularly by the supervisory authorities. In order to minimize existing risks, however, the responsible body can take numerous protective measures.

To the complete main topic

Digital Services Act replaces Telemedia Act

On May 14, 2024, the German Telemedia Act (TMG) expired and was replaced by the German Digital Services Act (DDG). This may result in a need for website operators to adapt their legal notice. If the legal notice refers to the previous regulation of Section 5 TMG, this should be changed to Section 5 DDG. The same applies if the term Telemedia Act was used in a different context on the website. As the name of the “Telecommunications Telemedia Data Protection Act” (TTDSG) was also changed to “Telecommunications Digital Services Data Protection Act” (TDDDG) in the course of the introduction of the DDG, references to the TTDSG must also be updated accordingly. Although the new provision of Section 5 DDG has not changed in content compared to its predecessor standard, a changeover should be made in order to avoid being accused of using old and no longer valid legal terms.

(Christina Prowald)

ECJ specifies requirements for data retention

In its decision of April 30, 2024, the ECJ specified the requirements for the modalities of data retention and access to such data (ECJ, decision dated 30.04.2024 - Ref. C-470/21).

The ECJ ruled that Member States may, in principle, impose an obligation on internet access providers to retain IP addresses generally and indiscriminately in order to combat criminal offenses, provided that the retention does not allow precise conclusions to be drawn about the private lives of the persons in question. Providers must be obliged to ensure a strict separation between IP addresses and other personal data, in particular identity data. The court also stated that the Member States may, under certain conditions, grant the competent national authorities access to the identity data associated with an IP address for the purpose of investigating criminal offenses. However, sufficient safeguards must be put in place to ensure that, beyond the strictly limited purpose of identifying a suspected person, precise conclusions about the private life of the IP address holder can be ruled out. In certain constellations, access should be subject to prior control by a court or an independent administrative body. According to the ECJ, the systems used by the competent authorities must also be subject to regular review in order to ensure protection against misuse or unauthorized use and to clarify any infringements.

The decision was based on legal disputes concerning two French decrees that enabled the collection and comparison of IP addresses.

(Christina Prowald)

BGH on the term „copy of personal data“ in Article 15 (3) GDPR

On March 15, 2024, the BGH commented on the interpretation of the term “copy of personal data” in Article 15 (3) GDPR (BGH, decision dated 15.03.2024 - Ref. VI ZR 330/21).

The plaintiff received financial advice on investments and insurance from the two defendants. After the end of the consultation, the plaintiff then asserted her right of access against the defendants in accordance with Article 15 GDPR and requested copies of all personal data held by the defendants, including telephone notes, file notes and comparable records relating to the consultation activity.

After the lower courts ruled in favor of the plaintiff, the defendants appealed to the BGH. This court ordered a partial reversal of the judgment of the Munich Higher Regional Court and differentiated between the letters written by the plaintiff itself and the other consultation documents. The plaintiff's claim under Article 15 (3) GDPR only extends to the letters and emails written by the plaintiff herself. In contrast, copies of the other documents do not have to be provided, even if these documents also contain personal data.

The Federal Court of Justice justified this by stating that personal data exists if information of any kind is provided about a person. This can be assumed if the information has a link to a specific person due to the content, purpose or effect of the information. For the letters written by the plaintiff, such a link exists due to the content of the letters. Own statements or letters would always have a link to the person making the statement and must therefore be made available as a copy, as they would contain a personal reference in their entirety. In contrast, no personal reference can be assumed in this generality in the case of letters from third parties to the plaintiff, even if the documents contain data of the plaintiff. The personal reference must be examined on a case-by-case basis. If documents only contain isolated pieces of personal data, they do not automatically have to be made available in their entirety as a copy. This is only necessary if the contextualization is required in order to understand the data processing and to be able to make use of the data subject's rights. Finally, the BGH differentiates between the admissible request to receive a copy of all personal data and the request to receive a copy of all documents containing personal data. The latter cannot be based on Article 15 (3) GDPR, as the claim does not relate to the object “document”.

Further information on this procedure can be found in a comment on the decision by Dr. Sebastian Meyer and Lukas Ingold, which will be published in the next issue of jusIT.

(Christina Prowald)

BGH on the claim for damages under Article 82 GDPR

On December 12, 2023, the Federal Court of Justice (BGH) commented on the burden of presentation and proof for claims for damages under Article 82 GDPR as part of a hearing complaint (BGH, decision dated 12.12.2023 - Ref. VI ZR 277/22).

In its decision, the BGH primarily relied on the ruling of the ECJ from May 4, 2023 (we reported in June 2023). According to this, Article 82 (1) GDPR is to be interpreted to the effect that the mere violation of the provisions of the GDPR is not sufficient for a claim for damages, but that further damage is required. In contrast, it is not necessary for this damage to have exceeded a materiality threshold. However, this does not mean that the claimant does not have to prove the negative consequences for him and the resulting damage. As a result, the decision of the Court of Appeal was not objectionable, as the plaintiff had not demonstrated the negative consequences for her and the non-material damage.

The decision of the BGH was issued a few days before the decisions of the ECJ, in which the ECJ once again specified the requirements for the claim for non-material damages under Article 82 GDPR with reference to its decision from May 2023 (we reported in January 2024), so that these have not yet been taken into account.

(Christina Prowald)

OLG Stuttgart: No compensation for personalized advertising by letter

On February 2, 2024, the Higher Regional Court of Stuttgart confirmed the opinion of the lower court that Article 6 (1) (1) (f) GDPR can be used as the legal basis for sending postal advertising (OLG Stuttgart, decision dated 02.02.2024 - Ref. 2 U 63/22).

The plaintiff demanded compensation from the defendant in the amount of 3,000 euros because the defendant sent him an advertising letter. In this respect, the plaintiff was of the opinion that the defendant had processed his personal data without legal grounds, as direct advertising is only permitted in an existing customer relationship.

The Regional Court of Stuttgart dismissed the action at first instance. It was of the opinion that the sending of the advertising letter was permissible on the basis of a legitimate interest pursuant to Article 6 (1) (1) (f) GDPR. It was recognized that the provision of commercial information constituted a legitimate interest. A customer relationship is not a prerequisite in this respect.

The Higher Regional Court of Stuttgart has now confirmed this view and once again pointed out that neither Article 6 (1) (1) (f) GDPR nor the recitals provide any indication that direct marketing is only recognized as a legitimate interest within an existing customer relationship. Rather, the latter is to be understood as all legal, economic or non-material interests that could also lie outside the customer relationship. Contrary to the plaintiff's assertion, the data processing was also necessary. In particular, this classification is not contradicted by the fact that it would also have been possible to send the advertising by email. The plaintiff cannot argue that sending electronic messages is less burdensome for the data subject. Rather, advertising by electronic mail is to be classified as unreasonable harassment due to Section 7 (2) No. 2 UWG, while the sending of post that is recognizable as advertising is considered permissible.

Moreover, irrespective of the fact that there had already been no infringement, the plaintiff had not sufficiently demonstrated that he had suffered any damage, which is why the court dismissed the appeal.

(Christina Prowald)

LAG Mainz: No claim for damages due to delayed information

On February 8, 2024, the LAG Mainz ruled that the delayed provision of information in response to a request pursuant to Article 15 (1) GDPR does not in itself constitute immaterial damage (LAG Mainz, decision dated 08.02.2024 - Ref. 5 Sa 154/23).

The plaintiff was employed by the defendant and asserted her right of access pursuant to Article 15 (1) GDPR in the course of disputes. However, the employer did not provide information on the request in due time, but with a delay of 18 days. The plaintiff subsequently asserted a claim for damages against the defendant pursuant to Article 82 GDPR.

The LAG Mainz denied the plaintiff's claim for damages. With reference to the ECJ, it stated that the mere violation of the GDPR was not sufficient to justify a claim for damages. Delayed information as such does not trigger liability in this respect. The loss of control alleged by the plaintiff also does not constitute damage. Moreover, she had not sufficiently substantiated this. Mere annoyance about the delayed information was also not sufficient. There was also no humiliation of the plaintiff.

(Christina Prowald)

VG Berlin on the requirements for the provision of information

On January 10, 2024, the VG Berlin ruled on the requirements for the provision of information (VG Berlin, decision dated 10.01.2024 - Ref. 1 K 73/22). It stated that the right of access only relates to receiving information about the existing data, not also to being provided with this data in a form that is as easy to apprehend as possible. This applies in any case as long as it is not unreasonably difficult for the person concerned to gain knowledge of the data. An unreasonable burden does not exist if the data subject receives a searchable PDF file within which they can use the search function to identify the parts of a process containing personal data.

Furthermore, the court stated that it was not the subject of the request for information whether the processing purposes named by the controller were correct in terms of content. If the purposes were specified to the claimant, the claim is fulfilled in principle. If the information does not provide sufficient grounds for data storage, only the deletion or restriction of the data can be requested on this basis.

(Christina Prowald)

LG Wiesbaden: No compensation for damages due to data transfer to SCHUFA

According to the Wiesbaden Regional Court, the disclosure of information about the conclusion of a mobile phone contract by a customer to Schufa does not constitute non-material damage (LG Wiesbaden, decision dated 16.04.2024 - Ref. 10 O 100/23; GRUR-RS 2024, 8264).

The plaintiff asserted a claim for damages against the defendant telecommunications service provider under Article 82 GDPR, among other things, because the provider had transmitted data to Schufa in the course of concluding a mobile phone contract. The plaintiff had been informed about the transfer of his data to credit agencies when the contract was concluded.

The Wiesbaden Regional Court dismissed the claim because there was no compensable damage. The court could not see how the disclosure of so-called positive data or contract data could lead to non-material damage. The plaintiff's submission in this regard was too general. The statement that the plaintiff has the feeling of a loss of control and concern with regard to his own creditworthiness is not comprehensible. A problem could only arise if negative data were to be forwarded. In this respect, it seems to be exaggerated to speak of a “constant fear”. In contrast, the plaintiff had not been able to prove a noticeable actual impairment and the court could not even begin to recognize such an impairment. Furthermore, the plaintiff had already been informed of the data transfer when the contract was concluded. If this circumstance placed such a burden on him, he should not have concluded the contract in the opinion of the court.

(Christina Prowald)

LG Lüneburg: Compensation for damages due to advertising emails despite unsubscribing from the newsletter

On December 7, 2023, the Regional Court of Lüneburg awarded the plaintiff a claim for damages under Article 82 GDPR in the amount of 500 euros for sending advertising emails despite having unsubscribed from the newsletter (LG Lüneburg, decision dated 07.12.2023 - Ref. 5 O 6/23).

In the case underlying the decision, the plaintiff received numerous advertising emails from the defendant. Although the plaintiff had initially consented to receiving the newsletter, he then revoked his consent and unsubscribed from the newsletter. After unsubscribing, the plaintiff received four more advertising emails from the defendant. The plaintiff then unsubscribed from the newsletter again and received confirmation of this. Nevertheless, he received further five advertising emails, whereupon he asked the defendant to issue a cease-and-desist declaration. After this also had no effect and he received further emails, he took legal action against the company.

The Regional Court of Lüneburg found that the defendant had breached the GDPR by sending the plaintiff advertising emails without this being justified under Article 6 (1) GDPR. The plaintiff had undisputedly withdrawn his consent, meaning that there was no legal basis for the mailing. The infringement had also caused the plaintiff damage. The annoyance, loss of time and impression of loss of control suffered by the plaintiff constituted damage within the meaning of Article 82 GDPR. The fact that even the legal representative was unable to achieve any success with the defendant was likely to give the plaintiff the impression of helplessness and loss of control.

(Christina Prowald)

Finland: Fine of 856,000 euros against Verkkokauppa.com

On March 6, 2024, the Finnish supervisory authority imposed a fine of 856,000 euros on the online retailer Verkkokauppa.com (notification dated 08.05.2024).

The supervisory authority's investigation was prompted by a customer's complaint. The company had required him to register as a customer before he could shop online. Without setting up a customer account, it was not possible to shop in the company's online store.

The supervisory authority found that the company stored the data in the customer account for an indefinite period of time and did not provide any information on deletion. The online retailer was of the opinion that this was not necessary, as the customer could decide for themselves when to close their customer account and request the deletion of their data. The obligation to create a customer account was also criticized as being in breach of data law. Creating a customer account should not be a prerequisite for making individual online purchases.

In addition to imposing the fine, the online retailer was instructed to set a retention period for the data from the customer account and to correct the process so that it is no longer mandatory to create a customer account in order to shop.

(Christina Prowald)

Greece: Fine against HELLENIC POST SERVICES S.A.

On February 28, the Greek supervisory authority imposed a fine of 1% of annual worldwide turnover on HELLENIC POST SERVICES S.A. (ELTA S.A.) (notification dated 02.05.2024). The fine related to two data protection incidents reported by the company to the Greek supervisory authority. These involved a ransomware attack in which the company's data was encrypted by third parties and published on the dark web in order to demand a ransom.

As part of its investigation into these incidents, the supervisory authority found that the company had not taken sufficient technical and organizational measures to secure its data processing procedures. As a result, the attackers were able to access the systems, deactivate security software and encrypt the company's data.

The EDPB guidelines were used to determine the fine. In particular, the number of affected persons and data categories, the amount of damage, the type of breach and the failures in security policy were taken into account.

(Christina Prowald)

Czech Republic: fine of 13.9 million euros

On April 10, 2024, the Czech supervisory authority imposed a fine of 13.9 million euros for violation of Article 6 and 13 (1) GDPR (notification dated 02.05.2024).

The company in question had collected data from users of its antivirus software and transferred it to its sister company without a legal basis. The company lodged an administrative appeal against the Czech supervisory authority's first-instance decision in 2022. In its appeal decision, the supervisory authority has now addressed the company's objections and confirmed the first-instance decision. In particular, there was no legal basis for the data processing in question. Furthermore, the company had not sufficiently informed users about the data transfer in question. The company had claimed that the user data was anonymized and used exclusively for statistical purposes, whereas in fact it was pseudonymized information that was linked to a unique identifier and could be used to re-identify the data subject.

In the view of the supervisory authority, the breach is particularly serious because the person responsible is one of the leading experts in cyber security. Around 100 million users were affected by the unlawful data processing. The decision is final and enforceable.

(Christina Prowald)