Dear readers,

More than four years have passed since the entry into force of the General Data Protection Regulation (GDPR) on May 25, 2018. Since then, we have already discussed questions and issues relating to the application of the GDPR twice at our Data Protection Law Day at LENKWERK Bielefeld with various speakers. We would now like to cordially invite you to our third Data Protection Law Day on September 15, 2022, which will once again be held in an online format. You will find information about the contents of the event and the possibility to ask us questions in advance in this newsletter.

In the newsletter, we will also inform you as usual about current events in data protection law, for example, the demand of the Data Protection Conference to the legislator to create regulations on employee data protection. Employee data protection is also the subject of this month’s focus topic.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Employee data protection – General principles

Employers regularly come into contact with personal data of applicants and employees. In order to carry out the employment relationship, the employer must, for example, carry out payroll accounting, plan the deployment of employees in the company and provide the employee with a workplace and means of communication. With regard to the handling of employees’ personal data, there are special requirements under data protection law. On the one hand, the processing of employees’ personal data is essential for the employer; on the other hand, employees have an interest in and also a right to have their personal data collected, processed and used only in compliance with their own interests worthy of protection. As this topic is of great importance in the day-to-day work of every company, the handling of employee data is examined in more detail in this newsletter.

To the complete main topic

Google Fonts: Damages as a business model

The use of Google’s services, which are mostly free of charge, has been regularly discussed in the past against the background of whether the integration of Google services results in an impermissible transfer of personal data to the USA, or that this at least cannot be ruled out. From a theoretical point of view alone, it is sometimes argued that Google services can no longer be used because the problem of third-country transmission arises and Google does not or cannot provide sufficient protection for this.

In the context of this overall discussion, there is now a first court decision from Germany, which should, however, be treated with caution. The Munich Regional Court (decision dated January 20, 2022, Ref. 3 O 17493/20) ruled that it may be appropriate to award a user non-material damages in the amount of €100.00 if the dynamic reloading of Google Fonts results in an outflow of his data to the USA. In the case of Google Fonts, it should be noted that these can either be stored directly on the server of the site operator or – if this is not the case – a separate retrieval from the servers at Google takes place for each user. In the latter case, it is of course necessary to disclose at least the IP address of the user to Google, which can be avoided when using the first variant. Against this background, the supervisory authorities have correctly taken the view that the dynamic reloading of content directly at Google for the inclusion of Google Fonts is unnecessary and thus also contrary to data protection because there is an equivalent alternative that does not involve the corresponding risk.

On this basis, the Munich Regional Court actually decided to grant the persons affected there a comparatively minor claim for damages. This decision is now increasingly being taken up by individuals who are also demanding a comparable amount from companies, citing the decision of the Munich Regional Court. All variants of the corresponding demand letter, each of which was sent to a large number of companies, are standard form letters that are obviously intended to take the decision of the Munich Regional Court as an opportunity to tap into new sources of income. In some cases, companies are also contacted which, in accordance with the recommendation, have deposited Google Fonts on their own servers and therefore do not provide Google with any data (in this respect).

In the case of the corresponding claim letter, the question arises whether the assertion of a claim for damages is not abusive, irrespective of the existence of the alleged data protection violation. By their conduct, the claimants indicate that they were not surprised or affected by the inclusion of Google services when calling up the relevant pages, as such pages were specifically searched for. In this respect, it is probably justifiable to argue that the relevant claimants even wanted this behavior in order to be able to assert their claims on this basis in the first place. Irrespective of the question of defending against such claims, it is of course always advisable to take the current wave of “cease-and-desist letters” as an opportunity to check whether fonts from third-party providers are used and whether these are kept on the company’s own servers in accordance with the current recommendations.

(Dr. Sebastian Meyer)

EDPB: Uniform sanctioning of data protection violations throughout Europe

The European Data Protection Board (EDPB) adopted guidelines on the calculation of administrative fines at its meeting on May 12, 2022, thus making progress with regard to the uniform sanctioning of data protection violations in Europe (see EDPB press release of May 16, 2022).

Data protection supervisory authorities may impose fines to sanction data protection violations, which are intended to be “effective, proportionate and dissuasive” and, in serious cases, may reach an amount of up to €20,000,000 or 4% of a company’s total global annual turnover, according to the GDPR. In order to create more transparency in the calculation of fines, the Data Protection Conference, the body of independent German federal and state data protection supervisory authorities (DSK), has already drawn up its own concept for the calculation of fines in October 2019. This concept should be explicitly applied until uniform requirements are established at the European level.

The essential aim of the EDPB guidelines now adopted is to lead to greater harmonization of the practice of fines by the various supervisory authorities at the European level. A core element of the guidelines, similar to the DSK’s approach to fines, is the establishment of a basic amount for the imposition of fines. The basic amount is determined on the basis of the components, namely the classification of the offense on the basis of the violated norm, the severity of the specific offense, and the company’s turnover. The guidelines establish a five-step calculation methodology, which also includes rules on the maximum fine amount.

The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg has already welcomed the guidelines presented. In a press release, however, it points out that these do not represent a “fine calculator”, but that effective, proportionate and dissuasive sanctioning still requires concrete consideration in individual cases.

(Johanna Schmale)

DSK: Demand for an employee data protection law

The DSK has published a resolution dated April 29, 2022 in which it calls for the creation of an Employee Data Protection Act. In the document, the DSK describes that the dynamically developing digitalization is leading to profound changes in the world of work. Advancing technical developments are making it possible to monitor employees more and more closely.

European law allows member states to create specific regulations for the processing of employee data. The German legislator has already made such a provision in Section 26 of the Federal Data Protection Act (BDSG). However, the DSK is of the opinion that more far-reaching regulations are necessary, as Section 26 of the BDSG is not sufficiently practicable, clear and appropriate. Due to the wording of the regulation as a general clause, which opens up wide scope for interpretation, it leads to ambiguities about the permissibility of processing personal data in the context of employment. The DSK therefore welcomes the fact that the coalition agreement at the federal level explicitly commits to the creation of regulations on employee data protection (coalition agreement “Mehr Fortschritt wagen”, p. 17; see our Data Protection Newsletter in December 2021).

The DSK calls on the legislator to create legal regulations within the framework of an independent Employee Data Protection Act, at least in the areas it considers particularly important and which are listed in the document. These areas include, among others, the use of algorithmic systems including artificial intelligence, the limits of behavioral and performance monitoring, additions to the consent framework, regulations on data processing based on collective agreements, and data processing in application and selection procedures.

It remains to be seen whether the legislator will act on this issue in the near future and whether a new Employee Data Protection Act will actually be passed.

(Johanna Schmale)

Data protection supervisory authority of Hesse: Zoom compliant with GDPR under certain conditions

In a press release dated June 17, 2022, the Hessian Commissioner for Data Protection and Freedom of Information (HBDI) stated that, in his opinion, the Zoom video conferencing system could be used for courses at Hessian universities in compliance with the GDPR under certain conditions.

The transfer of data to the USA associated with the use of the software is problematic from a data protection perspective. The background to this issue is the “Schrems II” decision of the European Court of Justice (ECJ, decision dated July 16, 2020, Ref. C-311/18, see our Data Protection Newsletter in August 2020), in which the ECJ declared the EU-US Privacy Shield invalid. In the ruling, the ECJ criticizes the level of data protection in the USA, particularly due to the far-reaching access to data by U.S. intelligence agencies.

According to the HBDI, a prerequisite for the privacy-compliant use of Zoom is therefore that universities rule out the possibility of U.S. authorities accessing the content and metadata from video conferences. Accordingly, the University of Kassel, together with the HBDI, had developed a “Hessian model” that would allow the Zoom video conferencing system to be configured and operated by universities without violating the ECJ’s data protection requirements. In the model, the HBDI assesses the remaining risk for participants in Zoom video conferences with the existing choices as compatible with data protection requirements. In particular, the universities would ensure that they:

• engage a processor based in the EU that is independent of Zoom to operate the video conferencing system on servers in the EU and to bill them,
• provide end-to-end encryption of all content data,
• prevent the outflow of student personal data to the USA and access to such data from within the USA,
• limit the use of Zoom to courses,
• provide an alternative privacy-compliant video conferencing system for other purposes or for faculty who do not want to use Zoom,
• inform teachers and students in detail about further, supporting measures for the protection of informational self-determination.

The statement in the press release primarily refers to the use of Zoom at Hessian universities. However, the basic assessment can also be applied to other areas. The HBDI states that the design could also be a model for other video conferencing systems and could be methodically transferred to many problems of data protection. The HBDI provides further information on the model on its homepage.

(Johanna Schmale)

ECJ to clarify scope of right of access

The question of the scope of the right of access pursuant to Article 15(1) of the GDPR is repeatedly the subject of court decisions. Linguistically, the provision in Article 15(3) of the GDPR, according to which the controller must provide a “copy” of the personal data upon request, is particularly unfortunate. This wording is repeatedly understood to mean that a complete reproduction of existing documents may be required. If interpreted correctly, however, the term “copy” is only intended to express that the data is only released in the sense that it nevertheless (also) remains with the data controller. There are already referral proceedings on this subject initiated by the Austrian Federal Administrative Court, as well as – with regard to the release of patient files – a referral order by the Federal Court of Justice (BGH, decision dated March 29, 2022, Ref. VI ZR 1352/20). In a further decision, the Federal Court of Justice has now ruled that court disputes relating to the obligation to surrender copies can be suspended until the ECJ reaches a decision, without the issue having to be referred to the ECJ again (BGH, decision dated May 31, 2022, Ref. VI ZR 223/21).

Irrespective of the pending judicial clarification, however, it is of course advisable to provide data subjects who request information about the data stored about them with the most comprehensive information possible. However, if excessive claims are made by the parties concerned, it may of course be appropriate to postpone the issue pending a decision by the ECJ.

(Dr. Sebastian Meyer)

Activity Report of the Data Protection Supervisory Authority NRW

The State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia Bettina Gayk recently published the 27th activity report of the supervisory authority for the year 2021. Ms. Gayk first reported that the year 2021 was still clearly marked by the Corona pandemic. The frequent short-term adaptation of the legal situation – in particular of the Infection Protection Act – had triggered a large number of data protection-related questions and problems that had to be solved at equally short notice. The report also addresses various other issues relating to employee data protection, such as reasons for absence in duty rosters that can be viewed by all employees and the forwarding of data from company integration management to the HR department and the works council.

In addition, Ms. Gayk points out that the transfer of personal data to third countries continues to be an extremely relevant and topical data protection issue, and in this regard she also discusses the implementation difficulties in practice as well as possible measures for safeguarding. In response to the ECJ’s “Schrems II” ruling of July 16, 2020 (Ref. C-311/18), the EDPB had issued recommendations on supplementary safeguards, which were again fundamentally revised in the reporting period. In addition, the European Commission had issued new Standard Contractual Clauses in June 2021 to safeguard data transfers to third countries (see our Data Protection Newsletter July 2021). As with all guarantees under Article 46 of the GDPR, however, it would be necessary in this respect for data exporters to carry out additional checks in each individual case with regard to the required level of data protection and, if necessary, to take additional safeguards. In addition, comprehensive documentation of the respective processes and decisions is generally required.

The State Data Protection Commissioner highlights the entry into force of the Telecommunications Telemedia Data Protection Act (TTDSG) as an important event (see our Data Protection Newsletter December 2021). The new TTDSG also serves, among other things, the cookie case law of the ECJ and the German Federal Supreme Court on the use of cookies in the context of online offers and the requirements developed by case law in this regard. Section 25 of the TTDSG now expressly stipulates that the setting of certain cookies requires the active consent of the user to this data processing procedure.

Furthermore, Ms. Gayk draws attention to the high level of complaints submitted to the supervisory authority, which has tripled since the entry into force of the GDPR. In total, more than 7,000 complaints were filed by data subjects and third parties last year, and 1,841 notifications were made pursuant to Article 33 of the GDPR regarding so-called data breaches. In addition, the authority received 1,412 requests for advice from data controllers, processors and data subjects. As well, 115 new proceedings were registered with the fine unit and 57 fine notices were issued. The supervisory authority also took a further 680 measures against data controllers.

(Christina Prowald)

On our own behalf: Cordial invitation to the BRANDI Data Protection Law Day on September 15, 2022

We cordially invite you to our Data Protection Law Day on September 15, 2022!

Since the entry into force of the GDPR, some data protection issues in connection with the application of the GDPR have now been fully or at least partially clarified by courts and supervisory authorities. Other questions and problems still arise or are even entirely new. Therefore, we would like to use the third edition of our Data Protection Law Day at LENKWERK Bielefeld to discuss the topic of “Data protection incidents – parties involved, consequences and safeguarding” with you and external experts.

For the event, we have once again been able to attract renowned experts who deal intensively with data protection incidents in their day-to-day work and from different perspectives. In addition to Mr. Carl Christoph Möller, Legal Counsel at Verbraucherzentrale North Rhine-Westphalia, a speaker from a German supervisory authority will help shape our Data Protection Law Day.

In the course of two keynote presentations, each followed by a discussion, we will take a closer look at both the civil law and the public law perspectives on data protection incidents and discuss the following questions and topics, among others:

• How does the Verbraucherzentrale select its procedures?
• Claims for damages in the event of data privacy violations by competitors
• Data subject claims in connection with data protection violations, in particular claims for injunctive relief and damages for pain and suffering
• Standards for the calculation of fines
• Role and position of the supervisory authority in data breach proceedings
• The principle of self-incrimination in fine proceedings
• Cooperation strategies
• Enforcement practice of the supervisory authorities

You will have the opportunity to ask questions online during the event and thereby actively participate in the discussion. You are also welcome to send us questions in advance to the following e-mail address in preparation: WissMit-DatenschutzBI@brandi.net.

We will inform you about the possibilities to register for the event later this month on our homepage as well as in our Data Protection Newsletter.

(Johanna Schmale)